Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 10:38
Static task
static1
Behavioral task
behavioral1
Sample
2eb5330b446d2fa44fe682b1690ff89d_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
2eb5330b446d2fa44fe682b1690ff89d_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2eb5330b446d2fa44fe682b1690ff89d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2eb5330b446d2fa44fe682b1690ff89d
-
SHA1
e3a0b6ce278dc8ae94846ab6aab8e1b4d96a4b51
-
SHA256
714c815f33366588ba72840466b43260e527831a44938a4d713f7e82d5c3acab
-
SHA512
c74db9c8677e1d7358038d23ccf1b292390c6d52a32123d4f362d3fe8ba843e24740da7e96e3f65b9fbdcbc4d857e846ec76927b9dd2a9c2ca855fd49bdfa33b
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2o:+DqPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3363) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3500 mssecsvc.exe 2924 mssecsvc.exe 1148 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1180 wrote to memory of 4496 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 4496 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 4496 1180 rundll32.exe rundll32.exe PID 4496 wrote to memory of 3500 4496 rundll32.exe mssecsvc.exe PID 4496 wrote to memory of 3500 4496 rundll32.exe mssecsvc.exe PID 4496 wrote to memory of 3500 4496 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2eb5330b446d2fa44fe682b1690ff89d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2eb5330b446d2fa44fe682b1690ff89d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4496 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3500 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1148
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5c75323fc0e89cf733ab182dadc67c60e
SHA176717353e5c5f212cc2acc77f7e164cce596d755
SHA256780cd956f2220631086a17cbd6e838ae096831f53dc71e674ad983fa1088b2fd
SHA512f9848559ab6d490ee640240e2001cb3dd04f39dccfd1ad743fc9c5a9824b958a77add7569d2fa656e2e9ae7709c0c862332463bc6d4b1ded88563fc34390179d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53b39c6d45c538f2d36204e81914325f7
SHA1c89e14ff9d5737fdb2e048604a74be8fbe8407c4
SHA256cd475edc3a7e64227fea88e61767245acbceffe77f8c3e09bd49927cbda29210
SHA512c7992514b3b0ce6c683c83ecf0c5ae0acbf7895a5e537631da75e6cc75e898b78e93b465f60be3a87e20edb2acc1e8dff9df4930fd13a41e873151efea2fdfce