Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
56f5f986dea620bcf28e6d3578142d23
-
SHA1
b74134312a3fc48171f32ab00ac50798e0a32691
-
SHA256
d599760e9af9f217d574e67cec0733c7adc5f96d7a1934e4bbea050f33e42960
-
SHA512
cf2754cec156519706134f888c670bcb0f03c1c69165c923bdc1fe6307045cdc3439877c81f65eccb24b4f69e8cb91de892e2428721c3d0c5cadb220346a43ef
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc0:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3278) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3280 mssecsvc.exe 1812 mssecsvc.exe 4748 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3320 wrote to memory of 2152 3320 rundll32.exe rundll32.exe PID 3320 wrote to memory of 2152 3320 rundll32.exe rundll32.exe PID 3320 wrote to memory of 2152 3320 rundll32.exe rundll32.exe PID 2152 wrote to memory of 3280 2152 rundll32.exe mssecsvc.exe PID 2152 wrote to memory of 3280 2152 rundll32.exe mssecsvc.exe PID 2152 wrote to memory of 3280 2152 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3280 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4748
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5e23d92f767cb46bceadbc9b039cb8d9e
SHA10135f4002198925423cac54ce41fc075cc03a727
SHA256114115204096ae929c882417dbedfc2ba188dc375d6156c0576c067d6766fc75
SHA51205bda9a5092758dbb400ded11cd3f780691af7184500257962f43da3dfc3855fa08ddfcaf6693f39c85b3e4b99e619b3709a8ac3d11ec94537dc368f9734d1e7
-
Filesize
3.4MB
MD5e3beae48c660a3e53b724363dcf3305e
SHA15a5ef3797b5c0299c9b73d74f3a7b00894df5951
SHA2562193d112aa2665c42288ae30efbf78516c1b3e118e07a146d439d436599a6307
SHA512b3bea954c114ad7915802f13f7f752253e0b40b43c5ac6e825e1fc5fe3e6f6b72fdfc1ddd6c393daa7521a722bb2738a421f16375cb1254877f7e8b6ce84255b