Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 20:02
Static task
static1
Behavioral task
behavioral1
Sample
5b3412cf9da09f48a57e6ee6f4ef2596_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5b3412cf9da09f48a57e6ee6f4ef2596_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
5b3412cf9da09f48a57e6ee6f4ef2596_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5b3412cf9da09f48a57e6ee6f4ef2596
-
SHA1
868d04b8ddee6565350620c734cb100d97095f68
-
SHA256
435afbf193eaa6ba5a2718bce0b707b3b548345fac3c7b941c66502202fb43ca
-
SHA512
91f3df2ba689fec90dbf096e770a889ec36dc94c5d3663bdecc3c9e9064f1596a0d823cab83987bf20b6a0d6e8eda9d849d387e3a2d35b8c35a877886f3cc9f9
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593Y:TDqPe1Cxcxk3ZAEUadzY
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3319) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2972 mssecsvc.exe 4380 mssecsvc.exe 3084 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4920 wrote to memory of 2572 4920 rundll32.exe rundll32.exe PID 4920 wrote to memory of 2572 4920 rundll32.exe rundll32.exe PID 4920 wrote to memory of 2572 4920 rundll32.exe rundll32.exe PID 2572 wrote to memory of 2972 2572 rundll32.exe mssecsvc.exe PID 2572 wrote to memory of 2972 2572 rundll32.exe mssecsvc.exe PID 2572 wrote to memory of 2972 2572 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b3412cf9da09f48a57e6ee6f4ef2596_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b3412cf9da09f48a57e6ee6f4ef2596_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2972 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3084
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD59bf9e8f8a52c974c40852b3040647b42
SHA1ce185b9756b05fd5fb8949b400291d148472d037
SHA2568376b88ef7462681ba76b80f47004d477eebe6360b2cc97a191cccf9763e5661
SHA512f5e5a2ed73c474fab761fcd17da745a2cfb7ababb2aff9b17eeecfc3946398ff0ad71ebf613928bf4b1f88240b268688c82e7f3f7bf2fbadb43567e101874793
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56766b2c84517f32b7b4e855663693601
SHA1829f8e75eb3da162c8ce48bed80bbc7dfeba63de
SHA256102136b8ac96b5edf4b0450a734e24b850b51e8f3dafd347d5b85bb202a29b2a
SHA5120f302cd516aa838cd3103ec71e1584995548a1115c87f28d736ff526ccfab16359ebd1ce31d1707e4fbdb7a649f4f35cb4dd9f4c5dc380f2a1540750cea43577