Analysis
-
max time kernel
150s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 22:28
Static task
static1
Behavioral task
behavioral1
Sample
5bcf369a4097b8056922510ad87e79e2_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5bcf369a4097b8056922510ad87e79e2_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5bcf369a4097b8056922510ad87e79e2_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5bcf369a4097b8056922510ad87e79e2
-
SHA1
37c351addc6665ea4a00c7d82d7072042b814bf3
-
SHA256
655b2581303778df55a5f50edeb62e237ac93187f69168feb2102741a75d8c1b
-
SHA512
9a38561cacd885cdc85487d0fcf2e8b4d2ac39438d5ea6c870df9f2544567992624502b68326fc68018da7ca1b60de105578b6a78ec54bf133356118dcd4e8ce
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQ:TDqPoBhz1aRxcSUDk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3244) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 116 mssecsvc.exe 736 mssecsvc.exe 2388 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3576 wrote to memory of 2960 3576 rundll32.exe rundll32.exe PID 3576 wrote to memory of 2960 3576 rundll32.exe rundll32.exe PID 3576 wrote to memory of 2960 3576 rundll32.exe rundll32.exe PID 2960 wrote to memory of 116 2960 rundll32.exe mssecsvc.exe PID 2960 wrote to memory of 116 2960 rundll32.exe mssecsvc.exe PID 2960 wrote to memory of 116 2960 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5bcf369a4097b8056922510ad87e79e2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5bcf369a4097b8056922510ad87e79e2_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:116 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2388
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD53e00e530b237ba2a197c7537e3b72c38
SHA1928f7390c71aa53a9bcda12acb0b22f681261c54
SHA2568fb5c80c995c40e0a64dd13dedffb17061968b54c4be43d4d7feed1fdc79abda
SHA51222c53c36be4c923820a80f608dd28c968e316962bf054528657b38202b250120cda6d51844b75a3bede4bbfaf81faf0508fbd99a70e9343938728de0d7d3a95c
-
Filesize
3.4MB
MD57ecb4baf9506742fbb1b7c6d2dd1504c
SHA1b2c64143fb2771bb6e56b9fdf9aabd32ea027a10
SHA2567473c398611ef8dd88f13039a4da33368ed0ac5ff02ec7c96b1d17420288652d
SHA512f5cf7bfc3da1102508a7244721a2fffe4ced382cccc9ba921dc97a44533f824489ded9ca069984e49178244efefeaa28c3dda397dde21cff91357c65de6269d2