Analysis
-
max time kernel
134s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5621542b257455bf2ba19d23dfdf6bd3
-
SHA1
ea4919722b8be96a8a47912e1201a8489db1c785
-
SHA256
a91088e535cd46cede4684b5b01ab44ae587896515d46f561678e408ff190053
-
SHA512
db392c351a1c263dd74d021f33a1b1dca503a449fd156dcf4ea0460545e85573f7c39023f23235b2ee6e2396213b0a15122c1ec95eb2fc58fe098b350688a01f
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9g3R8yAVp2H:+DqPe1Cxcxk3ZAEUaQR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1020 mssecsvc.exe 1060 mssecsvc.exe 928 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2972 wrote to memory of 1948 2972 rundll32.exe rundll32.exe PID 2972 wrote to memory of 1948 2972 rundll32.exe rundll32.exe PID 2972 wrote to memory of 1948 2972 rundll32.exe rundll32.exe PID 1948 wrote to memory of 1020 1948 rundll32.exe mssecsvc.exe PID 1948 wrote to memory of 1020 1948 rundll32.exe mssecsvc.exe PID 1948 wrote to memory of 1020 1948 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56551c8a27eec3b118704d99bc892daec
SHA1c8ed819ac33e1e575f56711bb1991c191fa683fa
SHA256f047d312431343223d175ce6ac990704726f5995febc3a4a62f716f8dc4ed016
SHA512aa3d151b43a477057ffeb0c38ebd9c959e97769dabb5ac7a81485da4f3a8bae0d79ab174bc42314a629a101f07bb812630421236a804136ee08ba77bfb784894
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a1b0a61927bb5a5a0386fad639db7ff8
SHA1a6c328d2096e9e0832f6eb1029a0e432c373f3bf
SHA25674abc3f0879a0234bbddb17b84839c5a8d993bdd04a21ac5c6ffd2f035a07c7e
SHA512843ffb4403e53a9476f065bfa22fff023cf06a61bae76606f993f38755e12dd9d989fb38f0b1ea2cfec352e59a02a28332ad1bacc56e819dd7eb688a42c30d85