Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5f6a324dca637003e4e3176a6f3e005a
-
SHA1
f0bccfb37e2a5afe27e79d9dcca65e239cc18f31
-
SHA256
6c92686a13c94ac170d887061a2d82bfb922b22d4aaeefb6665a811087ea85e9
-
SHA512
667e1fd45bce9fb31d763f4b2753a3af97bfd562bd58f05a32b718e7b2f3502b417d9f04a5afd03b7e225ea8a613a32ab9b2a66c5b1980d4e27f1db13387df90
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAu3R8yAH1plA:+DqPoBhz1aRxcSUDk36SAt3R8yAVp2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2997) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3024 mssecsvc.exe 3408 mssecsvc.exe 4164 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4384 wrote to memory of 1148 4384 rundll32.exe rundll32.exe PID 4384 wrote to memory of 1148 4384 rundll32.exe rundll32.exe PID 4384 wrote to memory of 1148 4384 rundll32.exe rundll32.exe PID 1148 wrote to memory of 3024 1148 rundll32.exe mssecsvc.exe PID 1148 wrote to memory of 3024 1148 rundll32.exe mssecsvc.exe PID 1148 wrote to memory of 3024 1148 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3024 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4164
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5777caf590b80ec7f8d043d69d13eb3e8
SHA117ae4be358cb7923f7f161160d2210312a8b8146
SHA256257eea1f0b058dc5c3e8773d0491c87699d9612b89c1bacd4916c78e03661e5a
SHA512a8ca6bce5f5d52b0137dae595ee56ce95ee7d7eef143b160cfdf0ef4c037cc4804fe06d39c459b10584823e9cf01c2920e69fdc69ee3aebae831dddfdb7904e6
-
Filesize
3.4MB
MD59464efdb9950199ac4985f0db3305361
SHA10e7120281640859940fdec098c66b33efde1125b
SHA2565555abbc0d88b011af5b2c904f05c8db40bc52787e67be19ff7aad2c20beb45d
SHA512342915529130283aa5a1e7df193da0bff5258f8f799147051bfa9fb03701b7381707e7dcd7b3126c1f97c4d2e144b9dcc30c8e785ffabc3c40e35060126a1ee2