Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 21:55
Static task
static1
Behavioral task
behavioral1
Sample
51aab375aea5501d903d3a80d3f1dbbf_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
51aab375aea5501d903d3a80d3f1dbbf_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
51aab375aea5501d903d3a80d3f1dbbf_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
51aab375aea5501d903d3a80d3f1dbbf
-
SHA1
62429059285483ef1140d06914e528bf704e4577
-
SHA256
ea90471e9d4dbae983656969be57fc3ecbc6f68bff93888f5e712644be95b69f
-
SHA512
c6d988e43db3c17f0a53b0247c8aa087b6c1defb29560302116569d1c0aee976e0852b3d3aef37da06c199d150dce3d62a3631d85e1a88a8b737388ef494486d
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P59Bc/J:TDqPe1Cxcxk3ZAEUadAJ
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3338) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2016 mssecsvc.exe 3128 mssecsvc.exe 3108 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3496 wrote to memory of 3452 3496 rundll32.exe rundll32.exe PID 3496 wrote to memory of 3452 3496 rundll32.exe rundll32.exe PID 3496 wrote to memory of 3452 3496 rundll32.exe rundll32.exe PID 3452 wrote to memory of 2016 3452 rundll32.exe mssecsvc.exe PID 3452 wrote to memory of 2016 3452 rundll32.exe mssecsvc.exe PID 3452 wrote to memory of 2016 3452 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\51aab375aea5501d903d3a80d3f1dbbf_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\51aab375aea5501d903d3a80d3f1dbbf_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2016 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3108
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fd57cd67ca6943cf19388c74caaf8ec1
SHA1141f26f0dcb0071ecded6fd3ec1d09b3d0f7fd46
SHA256d6767479d1b2b1908de550a7b45c93a8405b28700cda845f3248200310bc0585
SHA512755379c67d685fc5aac89444f779fb9f397802d619e1a6d4388be78760dea54f33c29076876fee7d32fb3ecb9e6bb88093eaae246103b43320c90ec825bfe5e7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD54a5ffc4ccab9af3e5654f447bcb1f85d
SHA16b5b5bafbff65372e102ab1c06cbf1f09d47cf84
SHA256aac6b9f1b96c9d7c14cbb9600f00e4dcbb4f257772fb7b4eed4e0fa4c724286d
SHA5125f0699c6cc8f1a5fdc11e2aa1f0f574cdfe05daaf5d5f7b959c595d0b48e2f34fc9a5cd755b296963a09b0dd7e3cedddf733e21b8abdfee06ca0ecf501c6df0c