Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 05:32
Static task
static1
Behavioral task
behavioral1
Sample
5331dcc2b7a9dc4c56dcaf9400024e18_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5331dcc2b7a9dc4c56dcaf9400024e18_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5331dcc2b7a9dc4c56dcaf9400024e18_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5331dcc2b7a9dc4c56dcaf9400024e18
-
SHA1
66cb274de4c256c708c35d916b290f820bc3c17a
-
SHA256
9a44bdd3e8bbabec20228aceff16b42a0c9b8cf8ec5d6c33e72a6de7a4bf8625
-
SHA512
d4634d09827cc0892f755b6dabe4bbd7bf2a5e0ad76ee7bdeae6dbcb94e5d244c6d55d5915e2805a299a44687828ee11ad6b3b3a369813567487b6d3b7f9309b
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKzozjeX6SAZBn/:SnAQqMSPbcBVQej/1INu6SA3/
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3202) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4640 mssecsvc.exe 4496 mssecsvc.exe 3800 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 896 wrote to memory of 4632 896 rundll32.exe rundll32.exe PID 896 wrote to memory of 4632 896 rundll32.exe rundll32.exe PID 896 wrote to memory of 4632 896 rundll32.exe rundll32.exe PID 4632 wrote to memory of 4640 4632 rundll32.exe mssecsvc.exe PID 4632 wrote to memory of 4640 4632 rundll32.exe mssecsvc.exe PID 4632 wrote to memory of 4640 4632 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5331dcc2b7a9dc4c56dcaf9400024e18_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5331dcc2b7a9dc4c56dcaf9400024e18_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4640 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3800
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fe9b5b75f3e267dcdfe1648fb681fa62
SHA1bbf80b2af90465b753ab4958fdddd2a116162a7a
SHA2569bdb3ccd8180ae06303d0c3e80e7032013506c47dc38bc629baf62d8cb3b4068
SHA512a11aea279099ebdec32be47a236057ce08b2ed9a3362c314ac85772a5de455875bb8efcc13a2b793e7412803871e8f4925dcfce25f4d2d008dacc429eee0c0d4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ba20334dc03e894d28f68253d34ee54e
SHA15c527f1c1e7e9ebc48e954e69151f2663d252214
SHA256c2de58d868977ed4d840df15b6dcbf2da52c9fae35853318fd7d3d21919628a5
SHA512f077b606405432552d82d9e0674752e94042530ba1dacf1290cf856743e2393805b3575f8005227a2442ea1111002bf38cd1a50c07d21c9e6cdd20691a59a707