Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 18:09
Static task
static1
Behavioral task
behavioral1
Sample
561aaa59b84a7fd7c8436b5d47fda319_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
561aaa59b84a7fd7c8436b5d47fda319_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
561aaa59b84a7fd7c8436b5d47fda319_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
561aaa59b84a7fd7c8436b5d47fda319
-
SHA1
f4e1395cc7a3a6a6e98d51dba66560cec46b7f7d
-
SHA256
3659bd29104688f4aec05ecad294db34429e49096983768873038dc7fdbcc494
-
SHA512
2d415664e27883d524da987d12c26ef0d632a159c19b3e7182f4dac00e28921a4c523bff04bee0f95fa796948a91d9be6d35e650af27edfa2a8decda619b0995
-
SSDEEP
98304:dDqPoBhQ1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:dDqPR1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3323) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3188 mssecsvc.exe 2364 mssecsvc.exe 2616 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4012 wrote to memory of 3692 4012 rundll32.exe rundll32.exe PID 4012 wrote to memory of 3692 4012 rundll32.exe rundll32.exe PID 4012 wrote to memory of 3692 4012 rundll32.exe rundll32.exe PID 3692 wrote to memory of 3188 3692 rundll32.exe mssecsvc.exe PID 3692 wrote to memory of 3188 3692 rundll32.exe mssecsvc.exe PID 3692 wrote to memory of 3188 3692 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\561aaa59b84a7fd7c8436b5d47fda319_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\561aaa59b84a7fd7c8436b5d47fda319_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3188 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2616
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2364
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56fe9d6dc8367939853e0bf1545a2e637
SHA123f8eb0797363c701ad5c1dc7949c42c66783df0
SHA256136ef00a4156fbf83c12ff4dfd82048a9a7421a50ba21df8e7800b673eff2830
SHA5128e0606762627dda67752f0026cb85c9162151e93e466b8b21329555efcfdbe9585811c798bdd178e27eb4a65c7ee6b1957b1cfe0b02fd58d204e81c352617a14
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5bd03cac11efac30c49fdc99a8816a5cf
SHA1755071b384aaa353b8b9b28560b39627ce746b3c
SHA256d0a22bce8b7ccfb3401e4ee705d7100c6f584582b8b1b0054ad987f0dc09e622
SHA51216d5aa1232286d0c3416215046579ad8ee6db726175dfeec1c60043ceba4da21608c5ccb00b5c829a57176f755523f2073394b32deba5918029fe13aab7999a8