Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 02:15
Static task
static1
Behavioral task
behavioral1
Sample
5cab58ca89303bf395a7a21c0d81b891_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5cab58ca89303bf395a7a21c0d81b891_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
5cab58ca89303bf395a7a21c0d81b891_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5cab58ca89303bf395a7a21c0d81b891
-
SHA1
0354d0a4ebb2255d10f3dc68c15c74bb745fd082
-
SHA256
235303a669bc611ea436a4a300c3171c085cc32c0d3dad4f4c720ebe64f8c0d7
-
SHA512
c84b21fc53e24f649103a9a1e43e6511889e9cc1a98366aa890d173f7c5be1700533bc97ed6caac0da0de895558af5fd7be5e47749f645ba254360c1c74ad15d
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRdsb53K7jSWl1y:SnAQqMSPbcBVQej/1dsNwHl1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4812 mssecsvc.exe 1716 mssecsvc.exe 3916 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2780 wrote to memory of 4048 2780 rundll32.exe rundll32.exe PID 2780 wrote to memory of 4048 2780 rundll32.exe rundll32.exe PID 2780 wrote to memory of 4048 2780 rundll32.exe rundll32.exe PID 4048 wrote to memory of 4812 4048 rundll32.exe mssecsvc.exe PID 4048 wrote to memory of 4812 4048 rundll32.exe mssecsvc.exe PID 4048 wrote to memory of 4812 4048 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cab58ca89303bf395a7a21c0d81b891_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cab58ca89303bf395a7a21c0d81b891_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4812 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3916
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57eeaacbd5f313fc56e07647f60238244
SHA1acda2b34c4e3788a1fad97cafb6d087e19f111d3
SHA256d2b0cff38e4096f37fe8859fc17b5b589a4dfb7ea89dee6c6c02631d5ff25dff
SHA512fe090baca777c8ccebe020f6dd577d14c259f5e53a7591466035d57c1a4520fda384d2bbf8f1d4cbf5d6746632bd0d8e1d2af49749b60d37e48d99738b37bf30
-
Filesize
3.4MB
MD5e12f85b3cbc8a466ddce8dfc4034fabf
SHA12c4f27164c44058c4b60b45cfd67dc4f3361b8c6
SHA256dadc4dd02b14bfca85a0dfc06bf8cbace568386c5fafa35e4bb6a26d47f03ea5
SHA512080016307b18f947629b42650221eb024b08f6cd3c692928da1f6492bb81c7ae5d8839beb79db625f1d70a41120c880fe408ddd7ca1db0e73c989c42814f355f