Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 21:37
Static task
static1
Behavioral task
behavioral1
Sample
56ebabfe5ac52c06923fa1fd5e76fd49_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
56ebabfe5ac52c06923fa1fd5e76fd49_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
56ebabfe5ac52c06923fa1fd5e76fd49_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
56ebabfe5ac52c06923fa1fd5e76fd49
-
SHA1
307f347723d234984a2f1c152325a12f0d1ec333
-
SHA256
a274d7771f1d7d0ef7133f3a00502267c7d03c48f4a491b075527915dc95c329
-
SHA512
212469b9559b1ee55fe026719499e9330737972c9951104c0dd9e74a31d715be2ac7314c07d7e17f143e894bb7b898133bf4a3f9fd851a57bc663ec259bc8008
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQjGL4kqAH1pNZtA0p+9XEk:znAQqMSPbcBVQejLyAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3336) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4648 mssecsvc.exe 4196 mssecsvc.exe 1080 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4872 wrote to memory of 2408 4872 rundll32.exe rundll32.exe PID 4872 wrote to memory of 2408 4872 rundll32.exe rundll32.exe PID 4872 wrote to memory of 2408 4872 rundll32.exe rundll32.exe PID 2408 wrote to memory of 4648 2408 rundll32.exe mssecsvc.exe PID 2408 wrote to memory of 4648 2408 rundll32.exe mssecsvc.exe PID 2408 wrote to memory of 4648 2408 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56ebabfe5ac52c06923fa1fd5e76fd49_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56ebabfe5ac52c06923fa1fd5e76fd49_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58e131c7f6517cbf9d312f9a7c5cebd96
SHA1eb87deb9b58fc77c3daa219977e351c0f4cabad9
SHA2560ab2b0b27a99e38f273db3ce1574ee5a8f800c7f14c7873035b3d54fe9054562
SHA51286ec30f84132b446b00b8f128434bbc0576d1c33c83b33c1e45a559c40867ca8a2a2350a2f64e008985f08dfc266e178a9f0acb3a1f2461ac2fbd68fadc60582
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD55523234d2bf6d8bd47edf8cf1f7a2401
SHA100f49a644e2a2a566974920077e0e3eca2a4d047
SHA256453e9160c63ca49b3fb2f1258d7cd828a1076845ad75ef1639154ca96b5dfbae
SHA512176595185809f72c66e4b58f67efd43009e543b2da64bf9089fbc085a5e7908c8a1ef371ab69226439fc92fd7c306366d2cdfe5347342d7775e2980388c4bff9