Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 07:52
Static task
static1
Behavioral task
behavioral1
Sample
53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
53b1c379f045426c1e90ae72a411a7b0
-
SHA1
0e69bbd360d8b77280411d828eba74935bf9a76f
-
SHA256
96980e2650d9389d0f72f8271eb54a26d86c599789ee0d3fc4bfb826b0eda2fa
-
SHA512
b059ff053a6a83e95c589b6e13aee88082a7202b882d91bd0d185ed9b8d6a56431d9efeb5c9914a3fb3f8dc7e64b8c3111e2993c6b04db9d7c8be0f9e0268235
-
SSDEEP
49152:znwQqMSPbcBVQej/1YNRNSxCDQatcqPc2r+6h40WpVgbgm5xz2Il23ZzgttoIvuv:TTqPoBhz1KRVY9gqBQcQQ
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3333) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 428 mssecsvc.exe 852 mssecsvc.exe 1184 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2760 wrote to memory of 3736 2760 rundll32.exe rundll32.exe PID 2760 wrote to memory of 3736 2760 rundll32.exe rundll32.exe PID 2760 wrote to memory of 3736 2760 rundll32.exe rundll32.exe PID 3736 wrote to memory of 428 3736 rundll32.exe mssecsvc.exe PID 3736 wrote to memory of 428 3736 rundll32.exe mssecsvc.exe PID 3736 wrote to memory of 428 3736 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:428 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1184
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:852
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c617575d4b84aa326618ff57b15c8f68
SHA115940ac6ea18245b50a803c1e93072141460e51d
SHA256c2cef4b60170d11927ab5adc19c87251c604a4c070aef560883a20c037e7426d
SHA51246706d77398f0dc982ffb5a23d4e973d1591dd7d3c6e94c2be7ef5b76e4b12f7786d331c941a0d752592ee5959589f7513854477aa1f24a23239be71f8b98f41
-
Filesize
3.4MB
MD5ffb7d6d6c887ea3959edaa4c5af25c56
SHA1e487620f1c68f8f1dda6709a69528665cd2e9631
SHA2560961903f48291047625bec39b5623ce9a4c82ffba812687fa5368d6c5d3db764
SHA512e7e6ac22c230e1850773319542d9bc7a3da30a643faf7fd6be3e2fafb98d950a9fcc96a34a201a74f0f157fcfa5c6d197dc0ea75b54ba43085e0575dd2368a60