Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 17:33
Static task
static1
Behavioral task
behavioral1
Sample
6f4b49e21b51f9d8cf0d8067ab281211_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6f4b49e21b51f9d8cf0d8067ab281211_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
6f4b49e21b51f9d8cf0d8067ab281211_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
6f4b49e21b51f9d8cf0d8067ab281211
-
SHA1
e8b933ffd4bd0401afb33ad635d81a52e5d57d83
-
SHA256
8342960295ccfbfa27e63d82bfafa918dfa831696b26bfe336ac490fcef92e5d
-
SHA512
4d41a853db2c26ec67bc28da1b1b4397b4401229b40355201a8a1fd47cd5ca30d6cb2c73f89342fb4efd703e37018570dd4b39e86ace8a819a35bff465abd60e
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5B+G:+DqPe1Cxcxk3ZAEUad7
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3337) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1856 mssecsvc.exe 2412 mssecsvc.exe 4068 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2996 wrote to memory of 2216 2996 rundll32.exe rundll32.exe PID 2996 wrote to memory of 2216 2996 rundll32.exe rundll32.exe PID 2996 wrote to memory of 2216 2996 rundll32.exe rundll32.exe PID 2216 wrote to memory of 1856 2216 rundll32.exe mssecsvc.exe PID 2216 wrote to memory of 1856 2216 rundll32.exe mssecsvc.exe PID 2216 wrote to memory of 1856 2216 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f4b49e21b51f9d8cf0d8067ab281211_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6f4b49e21b51f9d8cf0d8067ab281211_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a519cbc0a6750cac38c69004e5a305ea
SHA1ad3a0018369ecdaffde82b93b43155c70ef46cd2
SHA256d17557bfafea56a4c0b4e2e6c4ed11080a0826370e9e20c70bf7b160b91e671c
SHA5128a1035d5787c4f9c13a5112e50bf3f77bb0b0be13e7e3a9f620349b22c315bc1267b7c05791266fdbf9fd85722cad6f2a746b8af69195697abde46a572c8fc74
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5beff63707ee2398011bff9c7f0d97701
SHA192675bddb6e3780fdbab2ce0292a5dbccac6150a
SHA256136247427b5c5a1c0295477fb01c4212ca9e30d8368c3623dcc450750109576c
SHA512fb247ca3cd7da39d7769a30161eabb14608f1dde7a1e27b644d00486af4413be14644966e9332fd28bd1fd9c44c360efbd134b8d9cae6e443976146bbe6e7a53