Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 09:05
Static task
static1
Behavioral task
behavioral1
Sample
74f8cf308139a939d3fdbaadaca3132b_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
74f8cf308139a939d3fdbaadaca3132b_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
74f8cf308139a939d3fdbaadaca3132b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
74f8cf308139a939d3fdbaadaca3132b
-
SHA1
9ec8f64b061ad98c41ef5afbe864e1974cc456b7
-
SHA256
5067fee0e271fea31a5b0f4479521e26250678656675b9ddcca829445f7d242a
-
SHA512
30c4429d333680369cc2b30302ecfc8830c9ce4f9d52619494b7c265863eb00b58ad7b4c02f4616ea2613d6fd1d1509703ce06c8221643675fbf16a6626c9e91
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAME:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3362) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2760 mssecsvc.exe 1648 mssecsvc.exe 3924 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2368 wrote to memory of 916 2368 rundll32.exe rundll32.exe PID 2368 wrote to memory of 916 2368 rundll32.exe rundll32.exe PID 2368 wrote to memory of 916 2368 rundll32.exe rundll32.exe PID 916 wrote to memory of 2760 916 rundll32.exe mssecsvc.exe PID 916 wrote to memory of 2760 916 rundll32.exe mssecsvc.exe PID 916 wrote to memory of 2760 916 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74f8cf308139a939d3fdbaadaca3132b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\74f8cf308139a939d3fdbaadaca3132b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cc48c3d018ad980965e8d0a83230d9ee
SHA13130c3179faf9606f93bfba5d6d1113200e5c4de
SHA25680f61915d2ad682e04705d614a345907118add13417d2ba8f894252c5b6ac7e8
SHA5124081437021d5f30ba33e9a8dfc7e1d8675c0866496f6fb7b9fd43826e698840fc942cd78fd178817b2ab5234ef133848a4c6e0309746abb30ce4e4b07d46b782
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD534b9d37343b72787887139095f4d514a
SHA13c3fb32bb98d40b6d6b848aa23edbb1c64b7a727
SHA25644f75dfff8d0f188eee3cdf7f12895b97f420be06c267cb293cd4e1a72b01e16
SHA512f3e098305bc3b5d5c84b2c39c9e7b68b794316c257ce015d460e4b56b81e744bf44447c8cae8332bbe283f2cc9d0cf18609bddc40a62e15dd2fd420720237267