Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 23:23
Static task
static1
Behavioral task
behavioral1
Sample
318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
318ef9cfc9a05e31a05bf1ec3c2b2109
-
SHA1
c1eb85e5f6692f062242b5959f44d8b26e616833
-
SHA256
865b10d9b9e7469d6f48b2a488da995a311c6875ee23d946e0c90cab7bbce773
-
SHA512
e0d6a5083e09854d6255c60d71201d5822e080725c14464328254fd43562257407aa6ae8405f0eb00cc3c332d2b21f966490d7ecbccb72a7aa2876a6a6cc5ad7
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0U6SASk+Kdq/:znAQqMSPbcBVU6SAA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3376) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4356 mssecsvc.exe 688 mssecsvc.exe 4836 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4160 wrote to memory of 3636 4160 rundll32.exe rundll32.exe PID 4160 wrote to memory of 3636 4160 rundll32.exe rundll32.exe PID 4160 wrote to memory of 3636 4160 rundll32.exe rundll32.exe PID 3636 wrote to memory of 4356 3636 rundll32.exe mssecsvc.exe PID 3636 wrote to memory of 4356 3636 rundll32.exe mssecsvc.exe PID 3636 wrote to memory of 4356 3636 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4356 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4836
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5389c073a096bc2d1b08729365cf82802
SHA146235da95b5877eeb65bc230297ab3dd400d238a
SHA256be01cb362759e1d821227542dbb9358e962e62198881b83d86e29eb21d116f54
SHA5122c906dda9dff934474118582301dc586c13abe9666754b0d16333e8925f3bc6e7f22401e94c7e3e9584924b37b14024604285d26517201ced97e063cf8c9ec7b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51a46563038a0cb83090bae987da31a82
SHA1414ff3501b8f7f31e41b2543a7c2d0256fe783d7
SHA2567547a90d72937e374589301b3da01af5d9a962e0548d9615df7f13b1c2b1baca
SHA5126dbb12754321127c640340f2fd586f6a4f36fec88f32973e3f69818752ac8ee727404acaf5a689edd5b8b007358a40c90e00e34472c73b25e84502d07ed8fb77