Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 02:31
Static task
static1
Behavioral task
behavioral1
Sample
6d10b8cb37ebcf0a6d22dbf3e67b310e_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
6d10b8cb37ebcf0a6d22dbf3e67b310e_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
6d10b8cb37ebcf0a6d22dbf3e67b310e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
6d10b8cb37ebcf0a6d22dbf3e67b310e
-
SHA1
244e9aa52c699a7e5af1d965d46caeb9ccaa9830
-
SHA256
6d9f61cac704ee88d56d181439e5cf269ae13fb26e1b153c8a7fdd031980c037
-
SHA512
2d926ed5b1ec4a268a978f98313cf3702784619e4902dde4be1fa16a408c799ee015590e8564825d0241bae307f94ac199b3ebd1b8cd3ffce9f3ab4b612ee7ab
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5eR8yAVp2H:+DqPe1Cxcxk3ZAEUadgR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3362) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3468 mssecsvc.exe 3356 mssecsvc.exe 3900 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2156 wrote to memory of 1976 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 1976 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 1976 2156 rundll32.exe rundll32.exe PID 1976 wrote to memory of 3468 1976 rundll32.exe mssecsvc.exe PID 1976 wrote to memory of 3468 1976 rundll32.exe mssecsvc.exe PID 1976 wrote to memory of 3468 1976 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d10b8cb37ebcf0a6d22dbf3e67b310e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6d10b8cb37ebcf0a6d22dbf3e67b310e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD513a2719d0bc35aa5d33c346644effcab
SHA16c8905965df55eab8cc6e8f76756092706f60666
SHA256941f7bd9263aa5d0c1e11f534b151b37fc418a0a11c2237d0b8af04912e9777a
SHA51298827942ab24be76db1d4cda8e2719a5c1e6fcc532002b76ce57a23c5c070515457a93c25ca5ad996fc894084217df8d752d1c0a2d2bb362a516be2a15c6e1bc
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56d05b40e1de460136e3913543cd01611
SHA184c3b084e58a29f99ef7c58a4b9cb65afdcaf743
SHA2567203c16d0d96f641af9b828b7bb503f89e8838402130b75e525de7703547c044
SHA51217f547a1ba859066ed8606e54aaa37a553cbaddc42d8393cc0958e3fdd7e24f173ee9ab3387d6aa245c443139a1f5efdeee066cf05a240d6ba4cce4bcf5203ce