Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 10:17
Static task
static1
Behavioral task
behavioral1
Sample
66eb63d06adbb6cc6b89d1e9002cecff_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
66eb63d06adbb6cc6b89d1e9002cecff_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
66eb63d06adbb6cc6b89d1e9002cecff_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
66eb63d06adbb6cc6b89d1e9002cecff
-
SHA1
c96cb280b304bc42a197a2cd00504093adff0b89
-
SHA256
74ba89c3a5853f53a39ef8dfdd2afcc476b930f2aef152d1ce2752e9225f803b
-
SHA512
b86d7f336fea76da086099e4f89cd298b7bc84e93752daf2c23bade5f53c6773ff534ec3a655049c795c691fdcaf5017defd73172462822e7c11c9759fdde7d9
-
SSDEEP
49152:znAQqMSPbcBVQej/1nAMEcaEau3R8yAH1plAH:TDqPoBhz1n593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3248) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4296 mssecsvc.exe 3276 mssecsvc.exe 3888 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 464 wrote to memory of 3044 464 rundll32.exe rundll32.exe PID 464 wrote to memory of 3044 464 rundll32.exe rundll32.exe PID 464 wrote to memory of 3044 464 rundll32.exe rundll32.exe PID 3044 wrote to memory of 4296 3044 rundll32.exe mssecsvc.exe PID 3044 wrote to memory of 4296 3044 rundll32.exe mssecsvc.exe PID 3044 wrote to memory of 4296 3044 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66eb63d06adbb6cc6b89d1e9002cecff_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\66eb63d06adbb6cc6b89d1e9002cecff_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54d34f7d41477e33ba220565cda0f71a2
SHA113d4f0416538686c65196ba8adef1d7de21ba10a
SHA2562b5554a30f65d6064bbf63ca18afdee574efb885d0c7e5f22bd6e805fbf01466
SHA51219092b210b5f0dfa77a2c5f010bcfff9fed7caa74cd3dd140f294b1d04a3759f282611da136eb1a04f3fb9651b6cd869d54b7ccaab83ef1158109517e86c9484
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5629b889d481435fab3b4f7dd27cc9b5c
SHA1d8f87fa272a5b4482f7628ec32e27234fbfb3446
SHA2569bfa1377036b4df72a3e1389d39e030e497dd3bf6bc24e84199567733078e833
SHA5128d6ccf70554a6d715170426014b3f09efb8078b4b84a548a04f3fdf3f493b4a88a6fc02e1aef7eb480c69693aca475d4f35fa7d1f63a213e0f13fceb2c656d3b