Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 23:13
Static task
static1
Behavioral task
behavioral1
Sample
772062d5fd479a0b8560699960e0201e_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
772062d5fd479a0b8560699960e0201e_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
772062d5fd479a0b8560699960e0201e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
772062d5fd479a0b8560699960e0201e
-
SHA1
097250e5e0175d55eb802fa0cda2cafc4582e77b
-
SHA256
01f93d9d2c61a9770ceebdfc3c324e6e26c4db35c8c00924e3c4beb32969164e
-
SHA512
64285582d6809f265a0136832ef71477a3aaee86e54d066fdd7a15b7234cc67b738d843918c5a14600a24e9f853a5c2ef931c7f3c87d20f4e34ad2d35c8bbf28
-
SSDEEP
98304:TDqPoBhz1aRxcSUDkXhvxWa9P593R8yAVp2H:TDqPe1Cxcxk+adzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3352) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4144 mssecsvc.exe 4008 mssecsvc.exe 1544 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2864 wrote to memory of 2804 2864 rundll32.exe rundll32.exe PID 2864 wrote to memory of 2804 2864 rundll32.exe rundll32.exe PID 2864 wrote to memory of 2804 2864 rundll32.exe rundll32.exe PID 2804 wrote to memory of 4144 2804 rundll32.exe mssecsvc.exe PID 2804 wrote to memory of 4144 2804 rundll32.exe mssecsvc.exe PID 2804 wrote to memory of 4144 2804 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\772062d5fd479a0b8560699960e0201e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\772062d5fd479a0b8560699960e0201e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD58fd7bc66f07ec0135c5c429b1ee96225
SHA1a6ece1b324b7c3d3071254d75551118759fe684f
SHA25678b7c7086aadafd2a6869bbd3b60141fab3d31aa8eef7801d6c0ab1c8d97ad76
SHA512ec8e2c2fba4e77c7c8b4d3bdf99745894e0a61bb6cf17179dbb946727957f90fe5b25539d21ec9d075e75af7358d5b0596de106ea15b844e209fdf9de2f90d98
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f9a593cc170d6c24edcbeaf58dcba0ef
SHA1382654561eefd5f2398201dd9b8697e5cc5eb2e3
SHA25695cb0565064f2f67162eb63c8e3cfa4746112d054f7a9dcfe1599d879d625982
SHA5125d3d188124e4cf0a8ce735df5117b51fc5ab6bf5b4c2e994f874130cd0b258d15e0078e4fe997a8ea5be44590a9912e0aa87cf2191d09de2aa9d359430f615d5