Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 15:56
Static task
static1
Behavioral task
behavioral1
Sample
2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2fe52d89a67c9906720d04670dcfbaee
-
SHA1
0b661cade27f643d76c471db33729a8b795639da
-
SHA256
27f6f8bc00bde8c8c6b5692388bf4458131a940814a1a903065bfdc2cfed0fde
-
SHA512
f719bec24ddc570b30a529746dc3c68d6d81604efa9e0583b35c77cfe3d60824f3390cd8bbdaa9294c0f8781d2eff79ed7ac5ac1643c42459afb03a3374a6fd8
-
SSDEEP
98304:+DqPoBQ1aRxcSUDk36SAEdhvxWa9P593R8yA:+DqPn1Cxcxk3ZAEUadzR8y
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3333) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 5056 mssecsvc.exe 2264 mssecsvc.exe 3024 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2148 wrote to memory of 1216 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 1216 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 1216 2148 rundll32.exe rundll32.exe PID 1216 wrote to memory of 5056 1216 rundll32.exe mssecsvc.exe PID 1216 wrote to memory of 5056 1216 rundll32.exe mssecsvc.exe PID 1216 wrote to memory of 5056 1216 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5056 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3024
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD539257dbef45a759e3c44d0be045d8d61
SHA1f75daf7947b40ce133359a29d84469b833f69a20
SHA256ed3cb02276d4e304a8403ee3ebfb156e5b46e739f3e72cf91dd42ae9bbbfc9f7
SHA512e06c4f54c854aaf76bb240457cc74c2bdeb26337daadec480b074719737a0993bfdd238f9c768a25a2fc37f06dbd6971ad185824875b086b4894a4237032d133
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56298fb6f109a807ddfac1f8dcc014335
SHA136ad7ca09f15a364f8174df1f2f0b559454464c6
SHA256a4ab229ff389272762db421d8591db5b272b8aa831823df71ba35fad98d7ba1d
SHA5120eb439156c26088ec3516f472b6d05311b9cef226dd249d2932f4cd267e122bbc44cec031b924f8053d6013f9f34ecaca5ee874ee01cdd2ed662a9535549f345