Resubmissions
28-05-2024 20:22
240528-y5vrgaag9x 728-05-2024 20:21
240528-y5eegsag7y 728-05-2024 20:15
240528-y13arabg59 10Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
28-05-2024 20:15
Static task
static1
Behavioral task
behavioral1
Sample
7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7e42b85a3c28e4d3fd1928efbb1b1716
-
SHA1
5b9550a8987cf92b4cef087122199c716b39a7d5
-
SHA256
824eb4ff3cf95ff179fff5e2f0f1cf01db9a4c70e0106177f40492310aa8d1f5
-
SHA512
2dbbb1b1d48a9c3133a9a97394820ddf5a96a0dc7b75de6d70cc19e544a5add1b295c7b4eaae13fbe9dba848ef4b977c37d3a93e92084866fdbbe7bc5d000912
-
SSDEEP
98304:+DqPoBhzLk36SAEdhvxWa9P593R8yAVp2H:+DqPeLk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3179) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 868 mssecsvc.exe 4476 mssecsvc.exe 4924 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1360 wrote to memory of 232 1360 rundll32.exe rundll32.exe PID 1360 wrote to memory of 232 1360 rundll32.exe rundll32.exe PID 1360 wrote to memory of 232 1360 rundll32.exe rundll32.exe PID 232 wrote to memory of 868 232 rundll32.exe mssecsvc.exe PID 232 wrote to memory of 868 232 rundll32.exe mssecsvc.exe PID 232 wrote to memory of 868 232 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:232 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:868 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4924
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5b8fb46d2a1f577db36856c3277f76976
SHA188cccd52b450ce1e4abdd01674aa9c075c80d561
SHA25625010e5504c35ed06b313a98f1726352fec33d7c4e6908214867b28e149edb09
SHA51236e958c71ae9f42227f7f30268e87dccb7f3533e4871bc08899b5310effe0d12db4277940e090e60f0818405a2cde879d32920125b51b7edbbf949f48f84799c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD583f5fbd4c245bf1df5a102a08eafaab3
SHA148fea8659fba1b02feb2d4261eb5aef88d13b4a5
SHA256b1b14b619d2757ead3c0490c776dfadb59fbda8b6a379e24c29ea0826d04978e
SHA51278cfe4a08f937be15490478e78c4cf8978b5f2847aa2f31a66ad47704afea06c968fe135c505d07021196e2e08abfd82789a0e0b991dbda06528ab1051afbb2c