Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 03:22
Static task
static1
Behavioral task
behavioral1
Sample
5cedf628866eef92df09341a720db13c_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5cedf628866eef92df09341a720db13c_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
5cedf628866eef92df09341a720db13c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5cedf628866eef92df09341a720db13c
-
SHA1
0f7579ba3e6e41fe8211d0e90ceb0d1cec645ec1
-
SHA256
b641037e26c57e6f3839df9d388ec8d2c3167090e313f89e8b5012dbc3830b1b
-
SHA512
e666c6e857105d32c34d8f8f4a489d915b472ef174c65fa3b50f9fca63db73f7d118fc22566d212b906973e6a420cf361f494320a2624b0e5390dc898542183f
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kI29PO6LLuYAMEcpcL7nEaDNZtA0p+9Z:SnAQqMSPbcBVQej/N9PAMEcaEaDlAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3334) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3432 mssecsvc.exe 2788 mssecsvc.exe 2904 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2892 wrote to memory of 2804 2892 rundll32.exe rundll32.exe PID 2892 wrote to memory of 2804 2892 rundll32.exe rundll32.exe PID 2892 wrote to memory of 2804 2892 rundll32.exe rundll32.exe PID 2804 wrote to memory of 3432 2804 rundll32.exe mssecsvc.exe PID 2804 wrote to memory of 3432 2804 rundll32.exe mssecsvc.exe PID 2804 wrote to memory of 3432 2804 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cedf628866eef92df09341a720db13c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cedf628866eef92df09341a720db13c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3432 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2904
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5aff14b466d82984703b5628328cf9ddf
SHA10b4118a94826ce74040ae2daaf3c625e6dbf5096
SHA2563eefb2cfe6d4e562165a9d404f3b25e84e5fc763dfb9efbbcdec57cdc81aba63
SHA51275eda47898406f391ea484685f026823dcec25c24b76b1cd31b7c3dc5f38b12e72acff8d2b5221c43ff8b6bb11f956a5147c0389aa0088fe04522776d1ab2081
-
Filesize
3.4MB
MD5b6080a4008ec849e25657b077f122318
SHA110ef785d015da5e7d004ebe1185f257b753b719f
SHA256300a17f61a1aeed819f4b0e139402eac2f5fa903600f197e63e1eb06fb0c3ffd
SHA512004ccb55e9e5ae57eef471ad53d2ca6ecec9a6db56ae35c8dc8045d348b6b066a349794afa189b74b65507fd6728009390ef7b7e948bea45ffe758ee2b27f55a