Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 19:15
Static task
static1
Behavioral task
behavioral1
Sample
6bfff6a4e56407a80e4c4cddcf211656_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6bfff6a4e56407a80e4c4cddcf211656_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
6bfff6a4e56407a80e4c4cddcf211656_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
6bfff6a4e56407a80e4c4cddcf211656
-
SHA1
a4e5d4ac5cf090958ebfde098e60e83a698ffb0d
-
SHA256
a4ddeb368c41e168b4bdff4b3780ab0714901414831612e14a3b61e4946efdc1
-
SHA512
181cb5db756a00adbf04ea0e9f80a5e0e6069f27c52a484106dfd2813656ee4a02a8a8f3a11be1029bbc0d98e7ffcb18cade4ee3c2645aa2cb0136d7b6ac176b
-
SSDEEP
98304:TDqmSUDk36SAEdhvxWa9P593R8yAVp2H:TDqmxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3306) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3416 mssecsvc.exe 2096 mssecsvc.exe 1324 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 936 wrote to memory of 2424 936 rundll32.exe rundll32.exe PID 936 wrote to memory of 2424 936 rundll32.exe rundll32.exe PID 936 wrote to memory of 2424 936 rundll32.exe rundll32.exe PID 2424 wrote to memory of 3416 2424 rundll32.exe mssecsvc.exe PID 2424 wrote to memory of 3416 2424 rundll32.exe mssecsvc.exe PID 2424 wrote to memory of 3416 2424 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6bfff6a4e56407a80e4c4cddcf211656_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6bfff6a4e56407a80e4c4cddcf211656_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cf41fcbc785c71e684f656b1b150a441
SHA1286ef2c9adc3ff4e7b29a35cd049dad0dedeeb14
SHA256378c55de31c93d3bdc1c9676f6c25ce388b553fa3254d04ba106eeba7b7c868e
SHA512db1a6522af7975e4e31b6d525fc69ce9019a6e64788852bdc760a47dc2ef065717198ec6ae619bc8625b29cf0b9ad157c899cd86a60f66488831a09e1534a619
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5471388c9757c47e3ebbb868d2799516b
SHA15bb81eefc7ca24fe57f2e62b1006ca85840e1862
SHA256f5b1f32486a9c53d63d7a43f2e0742fcb7426036bf4f729a82e7e9922ac0a4b3
SHA512bef3ef94f2cdff254ca530740272095b4c6cfd628953c1deda8d6b0cfb8cd423176e510ff8fcd66b21599211258f31921ccd67bc768ae9feadcf2d27774f347a