Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 22:13
Static task
static1
Behavioral task
behavioral1
Sample
76f532e5fe2f8f13db6ddb8a6d67b65a_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
76f532e5fe2f8f13db6ddb8a6d67b65a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
76f532e5fe2f8f13db6ddb8a6d67b65a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
76f532e5fe2f8f13db6ddb8a6d67b65a
-
SHA1
c1365d56fdecf63b1d8bbaf998dbeaa27522626a
-
SHA256
4a1a054fe9408c2d6d97cfd73c2bf6ccf818e0b96bc89be611d4a21dbc91ea36
-
SHA512
63a0fe3fe82faf2cf963c84b4fcfa75ce8aba336297371885553f8937f70556d8127381de5418a9518752edc5ea7b309253549a404a7fe42d7f2515c363b78ee
-
SSDEEP
49152:SnAQqMSPbcBVQej/1IujZuinJ9HUAJ0rMx/J0AMEcaEau3R8yAH1plAH:+DqPoBhz1NiACMhm593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3300) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 5056 mssecsvc.exe 1116 mssecsvc.exe 3944 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1704 wrote to memory of 4776 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 4776 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 4776 1704 rundll32.exe rundll32.exe PID 4776 wrote to memory of 5056 4776 rundll32.exe mssecsvc.exe PID 4776 wrote to memory of 5056 4776 rundll32.exe mssecsvc.exe PID 4776 wrote to memory of 5056 4776 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76f532e5fe2f8f13db6ddb8a6d67b65a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76f532e5fe2f8f13db6ddb8a6d67b65a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5514c2b5968f5477c3346c4faefb0d90e
SHA13dd8512b31e08de1a57b4eeb09e7e019e240644e
SHA25642039e4900a8544e0c2c53a6dad0230c1cd08869d4a1826eff89c91a19885f53
SHA512568ca8a69f93f6e096fb67887ba97d539d734eeefb3f1ecd05a31a4fa07a7a39f414e7307ba5d5f5300bf7182ea232897471a6ab78ccf5d86169222a5afba430
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51492eb9292ba77bf9954940cd3093cee
SHA1e04b0399272b626c23b400b770f68d59b2e419c2
SHA256c745c5d8d5fde49e36f6129195cc88d489f24ce350ad4cf0c7c9b57fba7f8157
SHA512f3e3c6f7042da5312ae6d3b1fb769195c32f6bb432c1660b70a19cad672155a71a629e987115b503e6b906fe8b680f6e5bca1711327b8869ffaca01ac5ba8ce8