Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 06:31
Static task
static1
Behavioral task
behavioral1
Sample
7120a143729288157fb3356fc60205bc_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
7120a143729288157fb3356fc60205bc_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
7120a143729288157fb3356fc60205bc_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7120a143729288157fb3356fc60205bc
-
SHA1
45b703b0353d71541c8abd6faea7e57c3adca5fb
-
SHA256
a2764aa6b77f04df6ec82a911405ae75a9315093d1836091c386669f6da2cff5
-
SHA512
4e5d49f7e5b3171e9488a660ee67847160144e428a8219311cd437a8df3c0c0fbd4be6a6d48c26b6a9a0d9db2f2fd3c4afc255c41a1a5a617799ae36d1ed6847
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SA8dhvxWa9P5FyAVp2H:+DqP21Cxcxk3ZA8Uadvyc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3140) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4028 mssecsvc.exe 3976 mssecsvc.exe 4524 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1148 wrote to memory of 3688 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 3688 1148 rundll32.exe rundll32.exe PID 1148 wrote to memory of 3688 1148 rundll32.exe rundll32.exe PID 3688 wrote to memory of 4028 3688 rundll32.exe mssecsvc.exe PID 3688 wrote to memory of 4028 3688 rundll32.exe mssecsvc.exe PID 3688 wrote to memory of 4028 3688 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7120a143729288157fb3356fc60205bc_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7120a143729288157fb3356fc60205bc_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e5c307c267fd37464685ffe39b3bc302
SHA153980842895697ed2ee76aadcb2d78c4a1293013
SHA2568be4a0a025dc4c88614260b370a97f4c4327d41d8171f9c0a2f36986cfc8f72c
SHA512ab93f8c05ecd6737ab2ef687897b040994fe05ffa88b63b2fcbb4c9316ef9eee5539301dd0ce89af222cb3332e7d5768844c0fb5a33d974fc6738407f1952741
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5030bf9acda05b8f3f7a6aa32d40103f0
SHA1d8d1445d9ef512581af73d7cd0380a44e662e777
SHA256866086260c803d0386f8629ff49aae269669b7eb55d0e170414023aa5f999300
SHA512e4568a518a8959f965c88eec7219513e7bd7651f7a5b2cb70888d14f9b62430f110ae041e69848458e86a90cff06aa28d363b4ced5d103d03152aa95fc34c415