Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 17:05
Static task
static1
Behavioral task
behavioral1
Sample
55d6d83f66f0917fba7cce7f960a18a6_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
55d6d83f66f0917fba7cce7f960a18a6_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
55d6d83f66f0917fba7cce7f960a18a6_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
55d6d83f66f0917fba7cce7f960a18a6
-
SHA1
83e8bb1c117a4506ac850edd7708370406091cac
-
SHA256
e14c4af56e582c40f4ece66346fb341665fe422ec45ab490e55bf546cd799f31
-
SHA512
1644f905a85348fcf84b318ae1bf8e67e0af49fc4d11190474d367e0b6b2712bfece1a8a944fc5d139a2af9086154d8989f839c8cf6d33fac5a174727d3e27e2
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P55Z:+DqPe1Cxcxk3ZAEUadz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3171) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4416 mssecsvc.exe 3976 mssecsvc.exe 2384 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3500 wrote to memory of 4136 3500 rundll32.exe rundll32.exe PID 3500 wrote to memory of 4136 3500 rundll32.exe rundll32.exe PID 3500 wrote to memory of 4136 3500 rundll32.exe rundll32.exe PID 4136 wrote to memory of 4416 4136 rundll32.exe mssecsvc.exe PID 4136 wrote to memory of 4416 4136 rundll32.exe mssecsvc.exe PID 4136 wrote to memory of 4416 4136 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\55d6d83f66f0917fba7cce7f960a18a6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\55d6d83f66f0917fba7cce7f960a18a6_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4416 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2384
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD53f069f13df7db42862272880b613074c
SHA11092536b10666888c982896f8be723d0479abb33
SHA256d3cc85338cb8a2def7443326b60509a9abc4ece30873ab70b72645c93eb9e715
SHA5120e28095c1b7d1d521619b4f64ccd6353d72f4647c9a8d49e6df6298dec5291306bf491af926bd2be0ee77979cf373711b8bc16a606d6cd69c1dc9e549b391e0b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD52b55e80e1d6210d8f3908509b5c1d90e
SHA160f9b7ec3f252edf000b7133b2f7caa1e35a8bda
SHA256b5c8d77410731921d09d5260a3cc3baae2b3ec350e5b2152af692e2a40f19684
SHA51216b007b42a037a391bbe55a3d5fd1567a35fdd024811069ff8c455dbadada9558dd587e5d41d647ea2801a5990e1b5ce6a52369dbb27dfa985588eeb2003a197