Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2e81b88e80f28aec66d7cd5133ecc2f9
-
SHA1
94035e850ee7a618473d53c2f592895f654600b0
-
SHA256
543b7b9393bd9202177b9ab87b27351818c8ad497a4c98eac678cb893f2a66b0
-
SHA512
9d94bc5d0a1d685c06d1bd4eed74fb0f47c8de65b71bbd010e93f708f8d8e9214e27697d35a5ce3c91e610a192d6f68f327477a7e3abb80d5e2104a0b27ade72
-
SSDEEP
98304:+DqPoB5xcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPGxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3237) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4408 mssecsvc.exe 5032 mssecsvc.exe 908 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 60 wrote to memory of 5036 60 rundll32.exe rundll32.exe PID 60 wrote to memory of 5036 60 rundll32.exe rundll32.exe PID 60 wrote to memory of 5036 60 rundll32.exe rundll32.exe PID 5036 wrote to memory of 4408 5036 rundll32.exe mssecsvc.exe PID 5036 wrote to memory of 4408 5036 rundll32.exe mssecsvc.exe PID 5036 wrote to memory of 4408 5036 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4408 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:908
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58f7cb9b5f1ee6834427ce656255ba45c
SHA17fa33d93126aeef2c30659dc83d5aeaaf1aa0e49
SHA256760417e8a56f54d22ed1dbd170dd33868a0c332d197b1c16fe47b89269528717
SHA512d7a3d574fecb7e45b7d82d53f22c45e20179c6d7aa0d2eb0970380a8188f369a2c0214aa76bf66128f315a7d3365a0189ca940929bc9580a3e3db01c07cb0835
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5618f30960ee31b3f9433b9b994786487
SHA13b5b43220ab723eb7f9aaa5c9a2b542ee07ec07d
SHA256b28dca71a461f588bc8ccbe32831c9750864c6c20c8ead15027d43e0242efa9e
SHA51246b892cf875df79750b9fa996ce4484bfdd4cc21a8850b0ea5b31a008fcd276f2d52523ac5534d416a434120c9ded1bc78edaf5b72a23f5f71331af2142ab39a