Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 14:43
Static task
static1
Behavioral task
behavioral1
Sample
63a991006af2616ad323958bbd347c90_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
63a991006af2616ad323958bbd347c90_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
63a991006af2616ad323958bbd347c90_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
63a991006af2616ad323958bbd347c90
-
SHA1
cc0d90b22aa8053ea9e132889bca45e43ca900ac
-
SHA256
253d832ea20c6faee0825c1926b2412686c83f9f1521a7817bd91df1ae0208e6
-
SHA512
ac5abaf38c705713051debaf9f0133ee26eb53aff619e9a747d916b4861abf254a0cacd45b76207053e5fd849127716526779b856b4507102dfd63b819bf2144
-
SSDEEP
49152:SnAQqMSPbcBV3GGafYzflm+fZTFZIGayscOqd2vC0+KtARUbfMpr7WvCS:+DqPoBQ+iUP0e9y0lWCS
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3214) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3796 mssecsvc.exe 4816 mssecsvc.exe 4216 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4880 wrote to memory of 3364 4880 rundll32.exe rundll32.exe PID 4880 wrote to memory of 3364 4880 rundll32.exe rundll32.exe PID 4880 wrote to memory of 3364 4880 rundll32.exe rundll32.exe PID 3364 wrote to memory of 3796 3364 rundll32.exe mssecsvc.exe PID 3364 wrote to memory of 3796 3364 rundll32.exe mssecsvc.exe PID 3364 wrote to memory of 3796 3364 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63a991006af2616ad323958bbd347c90_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\63a991006af2616ad323958bbd347c90_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e3470119fcdc427ded9b855266f82519
SHA139e9310121959419626d3b22006b0376d78cdd32
SHA256ced86f4c57c78f324255ff9a9155bee14666c8071c0ffa3259f2758bbd90887a
SHA512dceec1e2396caca65cebe9bc4012d70bde61c3e499056dae3ab383c0345d3875cb607b9532ce078bae3c8658cb69861bd7d3627ad393ad22e85431e8335881c4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD501916ac258df00f20ba378fc16171988
SHA198b55baf8f888c32dff7243d8aa101b55b95935c
SHA256c05c1eb1a71ad332cb0c3121f66626408770489589510eec49f804167df44508
SHA512daed04dce12a91bc362a524df194fdb01c5a753b0580950f5eefd1575b94aed6c73a8ddc421a41eb78e99d82d528b62d16b561b353ca9e24a284c38af6d2fa71