Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 07:07
Static task
static1
Behavioral task
behavioral1
Sample
71355278822a182bc126997e58f45408_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
71355278822a182bc126997e58f45408_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
71355278822a182bc126997e58f45408_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
71355278822a182bc126997e58f45408
-
SHA1
6a009f7b1efa74d9d245766a221a18624196792d
-
SHA256
8310a6ae79b932a727b088c7310f7183df78f9be4451f21968ce04d1f320a093
-
SHA512
1435771cb22ec7647545246a551c6fca7a2f21e931b3afc4f3cc4efc83cd1f4bb49f20782f4e914754c30556c4a85126eb29c7d46f04c643d3aca02a5b44a9b3
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DOaq1SK662Q:zbLgddQhfdmMSirYbcMNgef0lz662
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3167) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2308 mssecsvc.exe 4980 mssecsvc.exe 744 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2916 wrote to memory of 3032 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 3032 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 3032 2916 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2308 3032 rundll32.exe mssecsvc.exe PID 3032 wrote to memory of 2308 3032 rundll32.exe mssecsvc.exe PID 3032 wrote to memory of 2308 3032 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71355278822a182bc126997e58f45408_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\71355278822a182bc126997e58f45408_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f25534e176ac75ef4eec66e4e797136d
SHA1a0860596388c5444c8f7b959ee62219a689d5d46
SHA256744181ead7b7835d852a25e0f41f97248d7aca9ecc3a9025483bf8f884e3873d
SHA51278b399885a0729ad3b651a119491c3e1075c0ea15a0a14fbfd176c1ef43fbd9915da05b036e393674c2d93c4f426ccce89f0e55c1e62cce094926de96beb37af
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5397c62b29e228c484e4873c2fe5b1b6e
SHA13b0abbd50014445b2e86daec82a9df41b2b48402
SHA2562772b7f6d3253b8208d6580b7f05cb3678d2622cd7085fea354555f11fc78ccf
SHA512d4d3dc4f6f25c0357ff33581401ea21f611dc39c98d1c739331626f914a5c6ae9278f955e8a6f9ac0d67011ad6f33fabebda521607a53f2d300b87c316ffe205