Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 15:02
Static task
static1
Behavioral task
behavioral1
Sample
501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
501dc5ce9e1ef2b61cedefeb887e4bdf
-
SHA1
c4b666275cca5fa6f45a72588b8858293dfc8322
-
SHA256
67fb76c4fabd6e4bc050e2fc5dd3751b5d7d8e8eb0ef739cae9524e9f404c661
-
SHA512
54fdfed9125c1d3ddea0c87bdad326a39f24a0aaa6e09356a17403bf99fae40f91b7c5e59820c8453d8f212d805c9f4b42f6d4c79000f24a31b18f6b83d6bdf5
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEa:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3260) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4432 mssecsvc.exe 4836 mssecsvc.exe 3256 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3496 wrote to memory of 3452 3496 rundll32.exe rundll32.exe PID 3496 wrote to memory of 3452 3496 rundll32.exe rundll32.exe PID 3496 wrote to memory of 3452 3496 rundll32.exe rundll32.exe PID 3452 wrote to memory of 4432 3452 rundll32.exe mssecsvc.exe PID 3452 wrote to memory of 4432 3452 rundll32.exe mssecsvc.exe PID 3452 wrote to memory of 4432 3452 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\501dc5ce9e1ef2b61cedefeb887e4bdf_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4432 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3256
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD51438b1a728e349833aefc78d2cf3444b
SHA1a4e026c165c94dee9e4f23968376c0c5e663d2ce
SHA25610848a23a4bb66b68e1e822ae097b20de861a21134043fdb7aa567437fbdd512
SHA51267f2ade068270d523a709ad6e2a1f9e56ff2138bed1738660a143a56903f73c48e1e7268c4065c186c8343de1d649f12a4c15d56d32ed2aedf31c14dbb6f7c2a
-
Filesize
3.4MB
MD523e2fc74db39af10ec21a185e98203d0
SHA1927df4391803a683658fd6c741e2fc6159c25e1e
SHA256020184730bcb72d346a6ceedb88f13e226ea037fea9116f92ba121d1452f0d4d
SHA51245c29409448fccd138a5fb31bff1dae67b8d8f03c6d7a4e1a1598eed9cebb8f3e102a9355b59ef232485e32fda6ae4cdce6ce1fdadfe1b51756dc93b12646d0b