Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 13:34
Static task
static1
Behavioral task
behavioral1
Sample
5f57d4d7c53e14dd87a88bbe181d9d00_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5f57d4d7c53e14dd87a88bbe181d9d00_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
5f57d4d7c53e14dd87a88bbe181d9d00_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5f57d4d7c53e14dd87a88bbe181d9d00
-
SHA1
143026c0bd482834da35f214542070b05a0dbcba
-
SHA256
0f9060ba65a98d39a9b4c1ebb20b9792a45a553bf94e04fe218abe7bfc7db336
-
SHA512
0f529ceb51fba1588654632e2b52832fe9e0b7ba70d0239ca63bbc616206bd4b8fff5d921fb672dfc1dd38195931dccd95db0ec3155ce7167006e084439ed2c4
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8ki:znAQqMSPbcBVQej/
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3338) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1184 mssecsvc.exe 4100 mssecsvc.exe 1788 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4400 wrote to memory of 2744 4400 rundll32.exe rundll32.exe PID 4400 wrote to memory of 2744 4400 rundll32.exe rundll32.exe PID 4400 wrote to memory of 2744 4400 rundll32.exe rundll32.exe PID 2744 wrote to memory of 1184 2744 rundll32.exe mssecsvc.exe PID 2744 wrote to memory of 1184 2744 rundll32.exe mssecsvc.exe PID 2744 wrote to memory of 1184 2744 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f57d4d7c53e14dd87a88bbe181d9d00_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f57d4d7c53e14dd87a88bbe181d9d00_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c769f5df594e21e5b8a9e2d7177b3e29
SHA171dcf900b2134cf5c4c4839c6904c99b5cd26722
SHA256709b00ef860a1f694789d343de09c632b6323e45d0b5cd563c7d25acceb3b022
SHA512088cf56800e48d77de3c72efd866778bd139b652a822d4134853b2ec21cf8d3450a0c7acc794f0187924522b114ad0d15e369396887d683d4b8470000bab18e8
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5385c31ff3c59303ab6dedfe447bc969e
SHA165497f515c2d7b225926479bd3b3f748d0e89254
SHA256c038735b7270f0a504d84522b9e5e133b4472230b3b0380f30863bfcf6d78d1f
SHA5122ed7b20c6042c33c68933a203025e0f10aa02d1a887f2506cd3d4a710f70e52f84eb6d10f42241ed50b4bd17f21cf4171e925f125aa87a7d10e056dc1d6c9976