Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 09:35
Static task
static1
Behavioral task
behavioral1
Sample
66d0167dff2512c96e488373c9303581_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
66d0167dff2512c96e488373c9303581_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
66d0167dff2512c96e488373c9303581_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
66d0167dff2512c96e488373c9303581
-
SHA1
84e3e17eb781d27d4f7300ce2b655a582466095c
-
SHA256
985dcbeb48e5edc2045350bf29dc7f58ea21289a43a3aac5325ec6e937a9baab
-
SHA512
b4d0995353ad63f9e9a504a9517cb53175aae9034cd94ae35a8ea1dbb3b7d62a15ec8ea779ca2e4d480d143fbe92af5621dd0e22fcb88c66fc6f533f3b4592ca
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAF:TDqPoBhz1aRxcSUDk36SAQ
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3228) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3708 mssecsvc.exe 3228 mssecsvc.exe 4380 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 32 wrote to memory of 2156 32 rundll32.exe rundll32.exe PID 32 wrote to memory of 2156 32 rundll32.exe rundll32.exe PID 32 wrote to memory of 2156 32 rundll32.exe rundll32.exe PID 2156 wrote to memory of 3708 2156 rundll32.exe mssecsvc.exe PID 2156 wrote to memory of 3708 2156 rundll32.exe mssecsvc.exe PID 2156 wrote to memory of 3708 2156 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66d0167dff2512c96e488373c9303581_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66d0167dff2512c96e488373c9303581_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3708 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4380
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD548637e9649afe06bc844e29ab5866331
SHA1551edf88324651f8b4a48b895fbfeb2cb2cbb99a
SHA25605af869be1280c1bf69fb55724abe22176aedbf21c7eb35bbe175b8c44e5b2a7
SHA5121a67fe25bee3f41e4d1f6071cc2ada77e3d9a792a7ccc6e1ec3794a28e6e86a48b720208ec892e73b9f224057b900c4148ec35289129254b53b27ad258063c38
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5fa6751bcac3563b1aa9a2379ebf5eb22
SHA160095fa548b52ffd7fd20b860101b0221099507f
SHA2565ad7aaa402afedcd1eeb2c3ef8d327392b2ab488730abae12bf0d6274c9bca45
SHA51221c55dbfdb2c80fc47600b45acca90c3ea9a8130cd32f93b2fa74abe62492e58c4d075aca1908d43350d44bae173fa2ede42f6aa50baf9badf496887441179e2