Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7e98a145a032013ca69b2cbf30cf5f84
-
SHA1
c955b774132b69cd7f38033827b4f9cb98666898
-
SHA256
0fcd53a40125addbfa3bf3f66379fa5b0bee5019c4680940e04fdb8714202059
-
SHA512
973a057545bc3d2caca6ace592e39aeda04a4184fac3bd1c00f385a64301f6b2e95a376cdf39c4bcf9d15348c993d856914699a1e087dfd6708bc60de7e191c1
-
SSDEEP
98304:TDqPoBi1aRxcSUDk36SAr593R8yAVp2H:TDqPZ1Cxcxk3ZArzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3295) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 760 mssecsvc.exe 4048 mssecsvc.exe 2668 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4996 wrote to memory of 5044 4996 rundll32.exe rundll32.exe PID 4996 wrote to memory of 5044 4996 rundll32.exe rundll32.exe PID 4996 wrote to memory of 5044 4996 rundll32.exe rundll32.exe PID 5044 wrote to memory of 760 5044 rundll32.exe mssecsvc.exe PID 5044 wrote to memory of 760 5044 rundll32.exe mssecsvc.exe PID 5044 wrote to memory of 760 5044 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:760 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2668
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD573f711dce0872d39ac4e7db8b9ca619c
SHA11ae464308025a7d376e4a20165eb02c2cae39c83
SHA256f175fabaf90c262721a9882019b84fc9aa3f8bfee67fb176bf8448b76b9e1522
SHA5121a51b4de8f3fcac1ad4d9b8816d448dbc971545d89658817bc7eabe6b9a362ebd570124894cadf570b2fe99caa2f2d75ac91c231e76a6693ba3c4963246bf4ea
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5fdee266283e705423f807589fb25dddc
SHA1d5c05e0286323fedbe8b0e4b5043dccf7450dc80
SHA25684395daa0e949e60a22310b591effbbb5787fe69428513445fa395726ab0f61c
SHA512487a3f4bcfd4e77cf449e54581bbe06a457380a8ee818b8d20ccaa7359e254d00932bf4a2c6dac2c06745f7eebbf58ec4360c1af5a2fac769f84a6f4b273117a