Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 18:24
Static task
static1
Behavioral task
behavioral1
Sample
5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5ac6c60b8d52c546cf33cc04eda2fb18
-
SHA1
7b4968ef7409ccae84ac1bd22814dd5d41069f0b
-
SHA256
e0475dd17f50e05ef796dc93da5e2e8f65567998ed4b4783eb7865f2be82b023
-
SHA512
5cf29473d2f0a14c3b51b22088d16ecf81c3ca050348a91187fcff357513da071a383882599d6f8f9ea2a7c0a6d1c53081f43a3f44d33c78a3a66f834a6cb645
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7:zbLgddQhfdmMSirYbcMNge
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3248) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3224 mssecsvc.exe 3560 mssecsvc.exe 2108 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3752 wrote to memory of 932 3752 rundll32.exe rundll32.exe PID 3752 wrote to memory of 932 3752 rundll32.exe rundll32.exe PID 3752 wrote to memory of 932 3752 rundll32.exe rundll32.exe PID 932 wrote to memory of 3224 932 rundll32.exe mssecsvc.exe PID 932 wrote to memory of 3224 932 rundll32.exe mssecsvc.exe PID 932 wrote to memory of 3224 932 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3752 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:932 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3224 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2108
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ac15c0ef7b0cfd62f087ccb06db91f5d
SHA197c55ce90ecb1197d39c4b3c3f954bd8105c1c31
SHA25640c89149489eb496635372b379a8f5437c01013d0119a480031a183c9fff4b37
SHA51290de24ed02957057ab5dcb5e97fc03f1165ac97dff491709854eaec2c959c65e10b8a1ca17ee87d3a147d0c6b22d55b86ca99c8365e794271a0179dbf6cf3c94
-
Filesize
3.4MB
MD534f58fbfb5b65d11ddc3b677b9907737
SHA1c5e77e73425a71201303fdc5d9ad47d466c57a4f
SHA256d1843b9bbc6b2b0ada802108622174ec06a7602f072d72f9b94f1061ba174e03
SHA5123320d98e7eb92cda02aff16e7cd47b2c2ca5c7e43b581bc78fa1321f82ccb85f0bf619071e3cb5304a4ac526cb9f4cc5c1e1533c8035ebc2f4000211ea12f1d5