Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 14:20
Static task
static1
Behavioral task
behavioral1
Sample
75c41f9cb3b0920cbdf6a6d58bff2639_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
75c41f9cb3b0920cbdf6a6d58bff2639_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
75c41f9cb3b0920cbdf6a6d58bff2639_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
75c41f9cb3b0920cbdf6a6d58bff2639
-
SHA1
9a8d716574ed1d45b15635d3b6edf376e1977f0f
-
SHA256
a9fa6e9a07840936038728e94c7cd5b9c345f81d0a81622852d7f719e38f2415
-
SHA512
52f77dd5ceecc4b202cc3ead37a6f898a496172611433ead8a33127b83586daf8b0889bce89d28ecf5dfeed90eadb7cb9f025b963f4ad90bcc427b4ac2b94ec1
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAkhu3R8yAVp2p:TDqPe1Cxcxk3ZAzR8yc4p
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3270) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4768 mssecsvc.exe 2060 mssecsvc.exe 1876 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4092 wrote to memory of 3972 4092 rundll32.exe rundll32.exe PID 4092 wrote to memory of 3972 4092 rundll32.exe rundll32.exe PID 4092 wrote to memory of 3972 4092 rundll32.exe rundll32.exe PID 3972 wrote to memory of 4768 3972 rundll32.exe mssecsvc.exe PID 3972 wrote to memory of 4768 3972 rundll32.exe mssecsvc.exe PID 3972 wrote to memory of 4768 3972 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\75c41f9cb3b0920cbdf6a6d58bff2639_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\75c41f9cb3b0920cbdf6a6d58bff2639_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58459dcb2510f8cd5bee8b34428ab9308
SHA1e20b490f6ca30fc95fe0f41dc6bdd6bfb5a8cb21
SHA256aa26e0c95a0713720d0e441b04b74e80efa2b5580c373887bbed345c3bb4642c
SHA512d5f40771695efa38d3ca119f3f9dfb0ba32d5e47109251b8ef236a2c1d15f4e1d7956860252544869859fef3dec3ff287e76f3baa5902546230f308f81b6ccdf
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5beb56ae73b5e9573b108236be6a155ab
SHA1321d98a7ba9b5d99c38bc4d238967d3d5e8420d3
SHA25660063a3b2936f8f1db3ab224b003a331e920b314ac79ecee0bdc8e8d9f2c40db
SHA512c685a6bef11254b55589b3bc1d4965947915aa857aa2714f6cf9a903c6e83aaf98e2a992b18b824684ae1fb7e0c3c74c9ed21490a5f4c3990e7441af9a368a7e