Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 16:54
Static task
static1
Behavioral task
behavioral1
Sample
55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
55cbc01a52fd5200cd82213465f27996
-
SHA1
a217c58a62f13a8bfcc7462606078e1bf1f2f405
-
SHA256
22bbde8f39fab4ba56329699e65d93f8cff435b3f39e7b226afc268546ea8cef
-
SHA512
2435798f42d1400945e7bf5287bd54e717a157a69060390bc4ff9379b5f5256faa8ba478f9f7aec6eb30dd335de16bfb627a636d6fec01ee8d22b9042e764d85
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqpbOSSqTPVXmiHkQg6eX6SASk+Kdq/:SnAQqMSPbcBVQej/JSqTdX1HkQo6SAA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3343) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2916 mssecsvc.exe 1016 mssecsvc.exe 3516 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 848 wrote to memory of 1412 848 rundll32.exe rundll32.exe PID 848 wrote to memory of 1412 848 rundll32.exe rundll32.exe PID 848 wrote to memory of 1412 848 rundll32.exe rundll32.exe PID 1412 wrote to memory of 2916 1412 rundll32.exe mssecsvc.exe PID 1412 wrote to memory of 2916 1412 rundll32.exe mssecsvc.exe PID 1412 wrote to memory of 2916 1412 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2916 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3516
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ad9925c0d7fda9b48a58439dc7a287c1
SHA10e912a64bf51d481714b087b4ea10f76aea71fbb
SHA25646c128c262aa0029c228ed4313efcfa2eef29728bbd166998365429500129c75
SHA512d718adda7f8fbaa3839c998d31afa3381157642c2d824b2bb6018b5ad3631346b78d974192a6cbc88792a2f577adeec25de19768687c3fc8cc752a7632ca276b
-
Filesize
3.4MB
MD5048a675961ba94a670ab35dc30a8e39f
SHA17c7c1951edf3c1ec6a8f50e0c5d6688d7b6523a2
SHA2562b089c0115de4cde488409e0783da3ea01042f0768036725e9dad8994d00f1f4
SHA512a1bec9f9f7f8a089312099377cae2e303699672dfff08dccecd8dc3a8a19ebd9107e5fcff45cd275fae8e848a561286c3ab217a31518e7f5eb5b765777965a17