Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 11:00
Static task
static1
Behavioral task
behavioral1
Sample
2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2ec7d1f90d57b3f3e5057e3b032bea5a
-
SHA1
63536a6303c855181bf6a57fbf68d6e3b2e55145
-
SHA256
427453cd2e3bada668d880e6eec35e83a92532263df7e69d2f67f30e627edf93
-
SHA512
d0beb1dc06e9fcdcba033c5a7fc39d5453ffafadf6667f6a5fafbfb0a057c4b2e31ac112ccb22a0b80b92c792c0164e5e7e6460652641fcce54978d36a763857
-
SSDEEP
49152:SnAQqMSPbcBVQej/1IN5AMEcQEau3R8yAH1plAH:+DqPoBhz1a55T3R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3203) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4712 mssecsvc.exe 4196 mssecsvc.exe 4448 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1280 wrote to memory of 5048 1280 rundll32.exe rundll32.exe PID 1280 wrote to memory of 5048 1280 rundll32.exe rundll32.exe PID 1280 wrote to memory of 5048 1280 rundll32.exe rundll32.exe PID 5048 wrote to memory of 4712 5048 rundll32.exe mssecsvc.exe PID 5048 wrote to memory of 4712 5048 rundll32.exe mssecsvc.exe PID 5048 wrote to memory of 4712 5048 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4712 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4448
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD51b2a00a37ef42709cc56b202a834f8ee
SHA12042224f22294df4629d4f4cb0946761387cbf08
SHA256fdd0e31bbb92fdda81ab4d2a13a3bebff0ba4627a8fb623822a421309765979f
SHA5127dacf94cd985277a88e7a9fe1a2b5ca7eaf2205df65a61f8216e34d3bf75d43ae1c472c20f05c24c2f25c1c163f5541baf4ca7eec03bad56d083101900c84411
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD502fe7a6b7dd8d5ba72d6027753a24d9c
SHA1b950375dc5fdc23af5b40a748963fb80b8bc2e46
SHA256a99fd8d4b4b0ca08f0a5c0687d96207a6d6718e07dfcc8206cb86bea3e8db5ec
SHA512bf101c3f77f8b636cdcd9e516faf51de49598ca6d9b0af1469bff6632766c0b4811966f22c9067ba20753d0cb9f70b216fe43d10f4360c04773a7e97b81efa39