Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 23:54
Static task
static1
Behavioral task
behavioral1
Sample
37349963654abd9e66db2c0e8681243f_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
37349963654abd9e66db2c0e8681243f_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
37349963654abd9e66db2c0e8681243f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
37349963654abd9e66db2c0e8681243f
-
SHA1
0ad6c69abb62ca7686f244a8b244fb0266ea2b0a
-
SHA256
0084d35bd8e774e086f9510977bbdd5f062a6eb5aed88c18f89ad61bf3b295bf
-
SHA512
a424f3c90714dc5fb794e9443adcebb8b8954fd1175abf72c3aa7bc58386a38035e39c55c8b1882f644821a72b48cb46246d54d33b75d57b7d154f63a41f9bd6
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAI93R8yAVp2H:+DqPe1Cxcxk3ZAuR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3332) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2764 mssecsvc.exe 4076 mssecsvc.exe 228 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1812 wrote to memory of 848 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 848 1812 rundll32.exe rundll32.exe PID 1812 wrote to memory of 848 1812 rundll32.exe rundll32.exe PID 848 wrote to memory of 2764 848 rundll32.exe mssecsvc.exe PID 848 wrote to memory of 2764 848 rundll32.exe mssecsvc.exe PID 848 wrote to memory of 2764 848 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\37349963654abd9e66db2c0e8681243f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\37349963654abd9e66db2c0e8681243f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:848 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2764 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:228
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5d87f9fd9a5f72e97d2e47c8d2c64f53e
SHA17660e0be196d0e07a6c1adb4015d94e5c2260f2d
SHA25643dbf7121a7a55754e0bb0fc9e0e28a9fde79dc7d2004299241c9bebc6246111
SHA5120957f79e99006b4ff010dfed8258adff5d302fffc03801cf68d36a3a02da5b85bfc18f01745a9ee4d1927fbfc125579b2421621ef3a75769faab04297abdb567
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5866ec34a1bf2f8d9b3b81dafd9358ec6
SHA13b16d2936a026d7ebfa248018efcb6f20ac58fa7
SHA25693969c25814c00bb00911c3b75636c39af13601baeb208d073051ef5858c40fc
SHA51216c47fc0904e3ef9fa5519c0443e0d723904d04ad3482c06e70fcb072fa0a674ef16479f1e45c0e693fec7f51ef9c0607f25843b38899eb885d2b2760e4f8c6d