Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 02:55
Static task
static1
Behavioral task
behavioral1
Sample
52bd09bef51fdc8f27db1d866833f06e_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
52bd09bef51fdc8f27db1d866833f06e_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
52bd09bef51fdc8f27db1d866833f06e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
52bd09bef51fdc8f27db1d866833f06e
-
SHA1
2effa46e80d3a66a53a1a43f415c4383a2ead9c6
-
SHA256
933d22e4dd68fe7cfa1d8a7afdd2f0a3aec97fbd0d09069a8667dc4f45c0c7eb
-
SHA512
40fef4905591ccdd3db265671eb32d7eac3a2de03d0363b67cdd194db600965f091a46e7d8cd8c1519853aa58ca542761c4549e3cde257d77b9273bb6285f3b8
-
SSDEEP
98304:TDqPoBhC1aRxcSUDk36SAEdhvxWa9P593R8:TDqPT1Cxcxk3ZAEUadzR8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3213) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3968 mssecsvc.exe 4200 mssecsvc.exe 3808 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3176 wrote to memory of 4436 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 4436 3176 rundll32.exe rundll32.exe PID 3176 wrote to memory of 4436 3176 rundll32.exe rundll32.exe PID 4436 wrote to memory of 3968 4436 rundll32.exe mssecsvc.exe PID 4436 wrote to memory of 3968 4436 rundll32.exe mssecsvc.exe PID 4436 wrote to memory of 3968 4436 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\52bd09bef51fdc8f27db1d866833f06e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\52bd09bef51fdc8f27db1d866833f06e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3808
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e24f99d2f3d5748da8746baa26293855
SHA19dc544c10d8539e6673718d9f28e7675334ec347
SHA256933bd7af869d16469fac1f38a7ce1f89907d0a0af6eb92d18d89939a6858dd34
SHA5120158fe45aad4fb521fd0c0fd3c03bacdd2c5ea66e9f4b5add529ced6e452c91e3b71296472a671ddd4ee7e4743b6499bb23eb1eb87b6a15008074f807f135fa1
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f35530613a65e4b78fd49fdc9ae2a761
SHA1c5171833f01470d7f01bda118eec6fd457545c0d
SHA256aba53ea94812a018ac00e9664c57d32bbf25922bb08141694fb65f493611248b
SHA5126d93a906f3de70ebef2b793954c2660f6c51f25a20f7b1c8da964240605e36e9861c822c9b6ee3a2f8e2e030991898b7d9ff8ee220b2f31ad3b8dba4be3e1d44