Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 21:05
Static task
static1
Behavioral task
behavioral1
Sample
3109b65e8686e4baa0113616a10993f3_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3109b65e8686e4baa0113616a10993f3_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
3109b65e8686e4baa0113616a10993f3_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
3109b65e8686e4baa0113616a10993f3
-
SHA1
2398716f9106b2fba069b3f9ed9607fbb211efe7
-
SHA256
ff74d29ec91885d27016c0057a576c092dcaec22501c1028c77cccb918f7abce
-
SHA512
013db95bfa715d03c829f9b8b278221013da3d48dca06e92b97addd37288dcc14199312bb0a250ef25c4f9ca258f9453d7142c9fb8f5fd3c112ee431188ebda1
-
SSDEEP
49152:SnAQqMSPbcBVqhnvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBQhvxWa9P593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2720 mssecsvc.exe 2888 mssecsvc.exe 3424 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5084 wrote to memory of 5080 5084 rundll32.exe rundll32.exe PID 5084 wrote to memory of 5080 5084 rundll32.exe rundll32.exe PID 5084 wrote to memory of 5080 5084 rundll32.exe rundll32.exe PID 5080 wrote to memory of 2720 5080 rundll32.exe mssecsvc.exe PID 5080 wrote to memory of 2720 5080 rundll32.exe mssecsvc.exe PID 5080 wrote to memory of 2720 5080 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3109b65e8686e4baa0113616a10993f3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3109b65e8686e4baa0113616a10993f3_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2720 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3424
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54b64ed19eba723d7fd0f27b7456e463d
SHA1e218b7fd95809c00baaae98d880773b2052b601e
SHA256c1891202395b193c6bf77053101d34dd3c0f496c7f3c694f7611d6bbee2e1d98
SHA512c52d1025237ac6d49ffedcab6b84b51fac90c4f82c76e62216efe2e9c227ba775912a32e3a8a47738868c5f8fedfeac88cb5e87b5e4e29262acb64784a61a51b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50704028bbfb9be0fcc1b3a636e0407a9
SHA12fab42fc578a27f9b27412cc72226bcd59846cad
SHA256a2884390164fbb65b90bf147c7d8de49943a447a0c0edd61da6e494fdd062318
SHA512c362f3adc8b58561208eae7456312bc5544a23bd2b7ec13fa15de95fcab7ff038b20f983c534d653131de411246851e3dba1715f5305a0afb681f4c9c804fc62