Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 00:01
Static task
static1
Behavioral task
behavioral1
Sample
52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
52273974a0123165fa8fbd867fa6dce5
-
SHA1
35f1258534d55dd40ad036af00a7b82cb692843d
-
SHA256
022c9efcf232fdfabcfba1423deb8ade3a49ae6480bddd4d58b4ca712e2ebd02
-
SHA512
389091e8ebbbbeb2709bed52ee3cbb7149a8f4f283c49cbf35ccbc93437f3472a4c272ab401ca3f22eadcfce067bfde179a1be1a9dbf07aa6c8ea53506ca9744
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIwQ2bYy:SnAQqMSPbcBVQej/
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3364) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3088 mssecsvc.exe 3464 mssecsvc.exe 2604 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1092 wrote to memory of 3944 1092 rundll32.exe rundll32.exe PID 1092 wrote to memory of 3944 1092 rundll32.exe rundll32.exe PID 1092 wrote to memory of 3944 1092 rundll32.exe rundll32.exe PID 3944 wrote to memory of 3088 3944 rundll32.exe mssecsvc.exe PID 3944 wrote to memory of 3088 3944 rundll32.exe mssecsvc.exe PID 3944 wrote to memory of 3088 3944 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3088 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2604
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD54baf69383a9fc1b6da854b63272e300f
SHA108ea3eb52583c2fd25ee7dc6a19ef5fa6c199138
SHA25604910bfe3dab5e3d912b28c4c94614d9b826bb261dbe5135e3cca5f854624221
SHA51213f6995db6ddb62f3731105af44cf500daff1f365324c45ce24da2d9026f853db57ca2a9e3a1f29e5c87c9f2655a4b6a6f6b5f761e93b1f541b4752559cd9278
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c5df4ec60f1f3a939577111217672171
SHA10eee00b69479940e562650d8fa31f7e89678152f
SHA2568ff377030e6bc316de9d062090a780542d7512ca4debc1e21c78f5a4720b7d2f
SHA5122f9d784fde6ff56cbc2c1e355c7a2288d34722b0f8adbe9c50ddebb4cb0380f926323f83222f8182c101d2190a7aff7f9f0f67c96ce00a20a9e7c8af9248c0f5