Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2fe3b52fc337d3a1a1cdca0f48f46773
-
SHA1
f8e4e3df09e914f104fb7f64d4cdf2c6d0e9a76b
-
SHA256
89d54bd2f03dcdc4703e8b457edc8559e74c9eb56a0fe0c18eb4b7c2c0367f4b
-
SHA512
f51102d052b9ce4c4d78139d5cfa1e35fc5427c7e8af8380a839f875a60bd8ecc63f2150e7fd6b910321fd57ea2fac0ea39330c759838259ac709ec1756c54b9
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593ip2H:+DqPe1Cxcxk3ZAEUadzi4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3214) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3228 mssecsvc.exe 324 mssecsvc.exe 384 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1672 wrote to memory of 844 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 844 1672 rundll32.exe rundll32.exe PID 1672 wrote to memory of 844 1672 rundll32.exe rundll32.exe PID 844 wrote to memory of 3228 844 rundll32.exe mssecsvc.exe PID 844 wrote to memory of 3228 844 rundll32.exe mssecsvc.exe PID 844 wrote to memory of 3228 844 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:844 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3228 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:384
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:324
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5d9dce092aed3030e2a500f8c6b1d892e
SHA16829f556957c3d54c6c9b6342339d2a72bafda72
SHA256490b71b9d0552dc07ee5d57aef16ee95c4d61e8126a59065f83fa6d739493dfd
SHA512495f3735246d700dc4fbf33be3a77f03916d9d8e4e6aa00d4d387fcd91eb4c7ddd9a7d07979f5476dc8f0d70cdc7fb3e48c7370ef4f454420ae930bb7d97ddb8
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5706fb84b80387399862b77592a003faf
SHA1fcdff5d4e29f7d4aca362afe53554309f4106f4c
SHA256ff8b504e2c6b1e62693f64f39b2fd9ac5c3e0d33c54cab137f0465d3e22f2a91
SHA51255219a69ce37eb2c219dae7940f9a2b936b46333529ac4618a72dd29aaa580b1506d3e8734a1c3d8f38c65509f7f80647747321313ca74c61f05de8dedf3731d