Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-05-2024 04:49
Static task
static1
Behavioral task
behavioral1
Sample
3856ef42d7ce6f8d6846d7dcdea1cc49_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3856ef42d7ce6f8d6846d7dcdea1cc49_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
3856ef42d7ce6f8d6846d7dcdea1cc49_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
3856ef42d7ce6f8d6846d7dcdea1cc49
-
SHA1
4c8b980864fba332a123ebfd54c162792fe5bfc7
-
SHA256
0425190cd56bfb638636057a1714fb3315da5046822e73ff4b1bfced0d92c229
-
SHA512
c0b1bc0441753a355b5d406aa45957c08b8934cc31c7020495b5e76427f8c7dc9cfba1ddbf5995cdacd85be44384e1f5bce297bd89caa3e8b59543f7bb016176
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5ZyAVp2H:+DqPe1Cxcxk3ZAEUad7yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3199) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 5020 mssecsvc.exe 316 mssecsvc.exe 3636 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1244 wrote to memory of 4252 1244 rundll32.exe rundll32.exe PID 1244 wrote to memory of 4252 1244 rundll32.exe rundll32.exe PID 1244 wrote to memory of 4252 1244 rundll32.exe rundll32.exe PID 4252 wrote to memory of 5020 4252 rundll32.exe mssecsvc.exe PID 4252 wrote to memory of 5020 4252 rundll32.exe mssecsvc.exe PID 4252 wrote to memory of 5020 4252 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3856ef42d7ce6f8d6846d7dcdea1cc49_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3856ef42d7ce6f8d6846d7dcdea1cc49_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4252 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5020 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3636
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD523022312fd0eb362acd51a62e69185d4
SHA1deb9d113e39e66301635ca6f72f7bfc258dfea6a
SHA25690713884f770c6608d27ed23c9a5dc983a3351b46ae5b76e9480cfa7c6331c0c
SHA512face22acf5004cc0c50699394f623e9dde94d0df34efe30f4a5874e2269131d12cbe1f5551bd0708176df8c164b02bc90e5f8d20cd4790cd746d26b3b2baed2b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f2a03186491eb9a7b49b33fea7504a29
SHA14a4996abe06cee5fdb6442092db06c7c191af893
SHA25648832f220035f46a949838de7e782963a57d8d4ac8f094847f7eb2efdfbe7a3e
SHA512c1bd8c6c08324fd9b01c13bb733cc00845832acb0f60c86381ad368ddf817cde5fbca8195b45bd1fdd7062ebb3c4de7e054910542b27a3973f7af16318d56d09