Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 11:39
Static task
static1
Behavioral task
behavioral1
Sample
2eed58838ca173ec3db6ba7aea01bc3e_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2eed58838ca173ec3db6ba7aea01bc3e_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2eed58838ca173ec3db6ba7aea01bc3e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2eed58838ca173ec3db6ba7aea01bc3e
-
SHA1
d47b8b5444a9a324361badb6a16b181bbc5a9817
-
SHA256
d139899bbf14f9de9233100c96283d93d97c974c6e87c6f2cda85f71dae41445
-
SHA512
9ceb6019d4ecc6c2f64f7b16fc27f1b2c257a210d47160eb885900d6dcc8829540f9b7687ba2993b47388cf1900faf139f8ea0c715643bde659baa1b0c5f2711
-
SSDEEP
98304:+DqPoBItcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPptcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3324) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3064 mssecsvc.exe 1848 mssecsvc.exe 1040 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2728 wrote to memory of 4912 2728 rundll32.exe rundll32.exe PID 2728 wrote to memory of 4912 2728 rundll32.exe rundll32.exe PID 2728 wrote to memory of 4912 2728 rundll32.exe rundll32.exe PID 4912 wrote to memory of 3064 4912 rundll32.exe mssecsvc.exe PID 4912 wrote to memory of 3064 4912 rundll32.exe mssecsvc.exe PID 4912 wrote to memory of 3064 4912 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2eed58838ca173ec3db6ba7aea01bc3e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2eed58838ca173ec3db6ba7aea01bc3e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3064 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1040
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1848
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD567c5e6cb5e44c79f60617741bf3c21f8
SHA15f9ccf6b1767d5618b981e4a5bd9a9d55a87b8e6
SHA2565a69a5fc95a4d643f935b16ee26c4e84d7c91c8120b0f50460ce95f46daaa0f9
SHA51257af93864b4715faf26114f66f66b2b7afcd511eb8d61f661cf4a708aea116b8dfc1aa5f64d0b5e7e2f6706d0197580122a24b81a13e55522c4a0e4ad8d7e013
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD543ba539881d9807f5f5307be46970dd3
SHA11d8b300291796f96f1557325fa75109bfdd6628e
SHA25670a1d71f66c97323beb5b566ddc7ae8227a01d8e93eace79b1bc0219b850dfba
SHA5125b649f1a83f45c3ab5ebc29ba98b23410ba9f70d38473886ae2bc3ace77295eba8c83a3383dc5789f6fee21d6076d2cdccea2eb8dda0d973dba8d8761e23afc0