Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 05:26
Static task
static1
Behavioral task
behavioral1
Sample
83290a02ed59eab7505161293eaa21cf_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
83290a02ed59eab7505161293eaa21cf_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
83290a02ed59eab7505161293eaa21cf_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
83290a02ed59eab7505161293eaa21cf
-
SHA1
bf11b2130480f2360d5f37e791ddeac3200b66ab
-
SHA256
cfa4f9d141d4f51d9a6199e82f8fdaf921139f044921e4237db5ed3065fdb483
-
SHA512
98790099258ca5b4b48e8b0b30f6663002b778971cff885991ee94d5a064e638e9a1a97e04491215000c5b929808d7394556f89a6701f4b947fcc60cfc3a4e9d
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:TDqPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3060) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1180 mssecsvc.exe 3736 mssecsvc.exe 2800 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3632 wrote to memory of 964 3632 rundll32.exe rundll32.exe PID 3632 wrote to memory of 964 3632 rundll32.exe rundll32.exe PID 3632 wrote to memory of 964 3632 rundll32.exe rundll32.exe PID 964 wrote to memory of 1180 964 rundll32.exe mssecsvc.exe PID 964 wrote to memory of 1180 964 rundll32.exe mssecsvc.exe PID 964 wrote to memory of 1180 964 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83290a02ed59eab7505161293eaa21cf_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83290a02ed59eab7505161293eaa21cf_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:964 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1180 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2800
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD51776c7405b200c6913931dd6dde9d78d
SHA14f09cc3df6eff3cd86f197ddf044b2eadb8fd402
SHA256824c2101052d0232bc409fbbf3431843ad3674a2979a8f8738adc41fb871769b
SHA5128622c8b5e156f3113669ce613a7c8500eb30f77fe2d3125f0f4e8622813be1fb5748e4f70c5d1c04bffe3e50260c4de730971549226823f6571e08113ff80edf
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c094b2ec6a7e98d0935fe97127646cb3
SHA1562dc9932e3c9c2a72fedeca0b209f8c43d248bf
SHA256e34de00b79e25fa85c52572eb869ede4c9000e18a5d05b40a17adb483aa55be3
SHA5121c74e09636fceadf304ebfab0170c0943c53d1ddfa70848ba1cf93b29dfbf0a10dc7ab256bde64941a57960344e42ee063a4f2550543eafa5c579efeeaa11bf2