Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 05:12
Static task
static1
Behavioral task
behavioral1
Sample
58b7152ec0599aaf336db5f8df6e3647_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
58b7152ec0599aaf336db5f8df6e3647_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
58b7152ec0599aaf336db5f8df6e3647_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
58b7152ec0599aaf336db5f8df6e3647
-
SHA1
bfcafc318679ec430a5d88d32f9476db35c108af
-
SHA256
e82f6b644a96bf2319c217eab06d7fc0c2e4b1a49d15895e7959231e4521da86
-
SHA512
e6df2efd598a58209c361d226c1a5caab6619a7a4911f5a9c3549ee1c447e9068cffc6dc906511ecc1db61c9b3c65067479a30ed0de59da801f9acbec38fa520
-
SSDEEP
98304:TDqPoBhz1aRxcSUZk36SAEdhvxWa9P5uR8yAVp2H:TDqPe1Cxc7k3ZAEUadgR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3289) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1208 mssecsvc.exe 4512 mssecsvc.exe 5080 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1392 wrote to memory of 2940 1392 rundll32.exe rundll32.exe PID 1392 wrote to memory of 2940 1392 rundll32.exe rundll32.exe PID 1392 wrote to memory of 2940 1392 rundll32.exe rundll32.exe PID 2940 wrote to memory of 1208 2940 rundll32.exe mssecsvc.exe PID 2940 wrote to memory of 1208 2940 rundll32.exe mssecsvc.exe PID 2940 wrote to memory of 1208 2940 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\58b7152ec0599aaf336db5f8df6e3647_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\58b7152ec0599aaf336db5f8df6e3647_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1208 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:5080
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD558091afae2724ff87eaffe7094c46bd9
SHA15208f090ddf4c4f7188aaea70a9af7446ceef673
SHA25683519ac27cddf8ffbb13aafb222e785be524979295d9c31f7e442513ab53668d
SHA512e14ed656e4aef6b6e2fa98db68491bb3058f4d248c4d37e82ba07d99c7de086addaa9ba76c3d0460dcaa4d137ebce328b7f70dc7b367b068ecb1cce1f3e9774c
-
Filesize
3.4MB
MD5db907ac4209f3d5f7e04a4eec7c684ef
SHA11b282679e203159340fc5c4553095e1718f581dd
SHA25602be61c18e061e7b410f76a3685b5e18c13f506fc7b136f75413c45171d1f8d7
SHA5125bedd41a11ff739260bbd0553e55d365109733df1a722cfd8284e71abe8a347a04d0f282e1593711b79168773712fe8b5b0c66baa7eb0a480a09084577945531