Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 20:40
Static task
static1
Behavioral task
behavioral1
Sample
76c2f0bc0c37fe765f7c147cb72edb62_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
76c2f0bc0c37fe765f7c147cb72edb62_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
76c2f0bc0c37fe765f7c147cb72edb62_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
76c2f0bc0c37fe765f7c147cb72edb62
-
SHA1
68d778d4da69cd5722cc537a965668dfdce2bd4f
-
SHA256
847521d5b3faff34a8f6313506d6f232c9fd99c65bea3f3305d994679ead6216
-
SHA512
c0ff78e4e838fa3e6694f5df06d47d38ac03343e79564f7966cfdddefc964139b4a470f7fbf18ff294983699feadeff576355b2746afb76048aa5172a9bc76d7
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIOASk+RdhAdmv1LJMfcH9PO6L:SnAQqMSPbcBVQej/ZAARdhnvxJM0H9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3148) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1368 mssecsvc.exe 3616 mssecsvc.exe 1400 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1240 wrote to memory of 1616 1240 rundll32.exe rundll32.exe PID 1240 wrote to memory of 1616 1240 rundll32.exe rundll32.exe PID 1240 wrote to memory of 1616 1240 rundll32.exe rundll32.exe PID 1616 wrote to memory of 1368 1616 rundll32.exe mssecsvc.exe PID 1616 wrote to memory of 1368 1616 rundll32.exe mssecsvc.exe PID 1616 wrote to memory of 1368 1616 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76c2f0bc0c37fe765f7c147cb72edb62_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76c2f0bc0c37fe765f7c147cb72edb62_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1368 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1400
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5481e5fab3071074c36f0a8b24fbb0777
SHA1adfb30626b3ff66306bba5fdd86566f92a8a5985
SHA256317dbb6511b79af9727a1b5542afcc1a9c808e8b998ed845734ee9de6ea9676a
SHA5123ea38a98f8823d3d376bdb18394af8f47ea3e25e76794cbee76fcc55366b0c87963101de21fe54e93a37d21be00d7c9aed0b56b4151c4d143bd861dfa25b3457
-
Filesize
3.4MB
MD5831b7cfbfa474f35bb2b37f69fad80f6
SHA17fd8c6b68754d29954ddbbdbb4960e02c17ac630
SHA256563fd6ea2af4dab336e868ed4456ba21abcf60fb647f20baa1f64aa5d67897ca
SHA512a86755d7d21c79f1b2abfb59c6f0295a8bd0c5f0a0c217750ad35c13d0d37fca64e3ce6bfae935164751fd0b9151da9331bcfc62ba507c4beb9b13a346b28140