Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 14:43
Static task
static1
Behavioral task
behavioral1
Sample
2fa1a6affa793ce0a954193b53d84f82_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2fa1a6affa793ce0a954193b53d84f82_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2fa1a6affa793ce0a954193b53d84f82_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2fa1a6affa793ce0a954193b53d84f82
-
SHA1
6a15bb42c3d51011ba2a734e8d165ee0d283b8c3
-
SHA256
55828142644029337c9cab5259f570e754baba5a7143181d4626a93436c77f41
-
SHA512
a62769e92257937a4915bcb5c16e975564a76e34f1d555eb90288a64981730d482f94ad37f28eeef632fd462e9f58aa929dfb2cc27de9179c340b15421c8a7eb
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0styg3B1jaATc:+DqPoBhz1aRxcSUDk36SAEdhvxWTHa
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3297) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1136 mssecsvc.exe 4992 mssecsvc.exe 2732 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2188 wrote to memory of 464 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 464 2188 rundll32.exe rundll32.exe PID 2188 wrote to memory of 464 2188 rundll32.exe rundll32.exe PID 464 wrote to memory of 1136 464 rundll32.exe mssecsvc.exe PID 464 wrote to memory of 1136 464 rundll32.exe mssecsvc.exe PID 464 wrote to memory of 1136 464 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa1a6affa793ce0a954193b53d84f82_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fa1a6affa793ce0a954193b53d84f82_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:464 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1136 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2732
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4992
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5b312269c7e699141551b7e844e32cd84
SHA159764e99605cd9e6cee9430ac074b9cb11e6f4f8
SHA25606ba819e39a07e5748383ca32587f0634858f395ada5f5413140da0e56bae168
SHA5129487c53ee9a6eb7887701014930017d37af5c5db282d541374d448f3124e4257d47739335ab66f4c527cd358a90c096235da3cbb5a5f617e56930233cbaf6c82
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5d57254187d87e8b92b561f0e17cb1de5
SHA1fac778cfb39eb034bf13ceb8f7dcda3cd7f8be46
SHA256730309041fa07c19194be5bb878be0cdeace11e0c5bfcf3f24c773b9ec5d32a8
SHA512771db357430a476769d3436d60687ecb2e5b387f1b216ba452ab9cc23792b70a24181b819f2f78723107023f0da6ee16d383d9de3309abd0d22e65a674022354