Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 18:48
Static task
static1
Behavioral task
behavioral1
Sample
5ae5baa664e07d14aed5dfebbefba84b_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5ae5baa664e07d14aed5dfebbefba84b_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5ae5baa664e07d14aed5dfebbefba84b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5ae5baa664e07d14aed5dfebbefba84b
-
SHA1
38b14ab595ad454b4ad0c42fb33f271d74b5a03d
-
SHA256
bc3fa3aa010bd5abbd65b30a8c8b8ef5353d3ea550985ceb74b0b2af3cb2a7c7
-
SHA512
eb4f6f51cf8bbbce35c65ce38dd0f083290e8c7a9acc3e9517d2a4df863aebda15fa46d1edee5e7b67465af2479a20a16a81895a291406e4584ba4606ae571ca
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9s3R8yAVp2H:+DqPe1Cxcxk3ZAEUacR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3268) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3820 mssecsvc.exe 3932 mssecsvc.exe 1144 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1008 wrote to memory of 4544 1008 rundll32.exe rundll32.exe PID 1008 wrote to memory of 4544 1008 rundll32.exe rundll32.exe PID 1008 wrote to memory of 4544 1008 rundll32.exe rundll32.exe PID 4544 wrote to memory of 3820 4544 rundll32.exe mssecsvc.exe PID 4544 wrote to memory of 3820 4544 rundll32.exe mssecsvc.exe PID 4544 wrote to memory of 3820 4544 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ae5baa664e07d14aed5dfebbefba84b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ae5baa664e07d14aed5dfebbefba84b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3820 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1144
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5271614d5e0e6a2a4e7d8c003e6874390
SHA1e1cc9f3d32e62b3c1f5057f987e8504cec7b1585
SHA25605bd3b58e31c3070ce34ac8d7f7dfff4c687cdca12a2ce4ad6a1733eb4c86115
SHA512745dbcd15ff11adfaa0d0535d294879cc5ffaa558eb85003efe9e11e28a859f06a986fa24706b27196f29488283af456c29501603a145d3c4296d7cd3096934b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD58bbc10d1351a924955ce282a8dccc640
SHA16995d53c64729fa35969f7e747f8129469a3d0f1
SHA256be7944d0d4141c1de8f077f10c27e1d0fe5734e2b3083e645069d36cef986faf
SHA512883a190d6614034dc722b3495097d97363e7340d3f1c024b8284ca837ddf3bf1a74decd83a6d63fe2a19f8af3b740ddedda29d94c241a080e8ccc54b6fb47b16