Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-05-2024 21:18
Static task
static1
Behavioral task
behavioral1
Sample
4d0eeb02dd0ca1c97f389b9751151bb1_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4d0eeb02dd0ca1c97f389b9751151bb1_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
4d0eeb02dd0ca1c97f389b9751151bb1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
4d0eeb02dd0ca1c97f389b9751151bb1
-
SHA1
65e9bb056cc6d5418dbf99526c51303a655c4221
-
SHA256
99943e6c8ba298f43cd8f225f4df4cf625e622ba789e2b60eb3e41ebda62da41
-
SHA512
0a21b89937e00526434b9984896020001b4a107d09abbf64e6d051dd1d7290ec558f5e9c43b27afcabf5faca6324e5ff313aa897ead790d755ce5dd5e8d650a1
-
SSDEEP
98304:+DqPoBhc1aRxcSUDk36SAEdhvxWa9P5uR8yAVp2H:+DqP11Cxcxk3ZAEUadgR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3326) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3868 mssecsvc.exe 2876 mssecsvc.exe 2580 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5008 wrote to memory of 1580 5008 rundll32.exe rundll32.exe PID 5008 wrote to memory of 1580 5008 rundll32.exe rundll32.exe PID 5008 wrote to memory of 1580 5008 rundll32.exe rundll32.exe PID 1580 wrote to memory of 3868 1580 rundll32.exe mssecsvc.exe PID 1580 wrote to memory of 3868 1580 rundll32.exe mssecsvc.exe PID 1580 wrote to memory of 3868 1580 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d0eeb02dd0ca1c97f389b9751151bb1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d0eeb02dd0ca1c97f389b9751151bb1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56b7c6f571549d756df917ef794a66206
SHA1492835ffd3c6121c08dc0f39d14aeb3471d395fd
SHA2561f75c704d6c13e20d7039dfd9131d46f782d1cbc3b9e5a6f5859aabb1e16f88b
SHA5120a441b7ea0c4d6545633eae778ec6105b013bfe3ff6c79ec31b8d86fb9beeb7ba0a1966654eda60f9b0eae941855dd62d2d9ca0d2381f0e108ec95d564244fde
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a1711585b1f312b8a3c5ef2a53b0e277
SHA1f7701547f476c768eaac249b14af289e7c3a0bc2
SHA25609fee0426f29d1f2f50559571300024eab0348af47896ad392c2e0400296479a
SHA5122f22a18b89803c76dba16d1ec4caa6c356969ba345d4556c1b77b7ee53a10e1b5e8610eb57cdf094922f66f931136dd25f5e60d5dd058ecbe166ffbf32fc3792