Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 06:47
Static task
static1
Behavioral task
behavioral1
Sample
83544683ea936a82697a465bdf6093e1_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
83544683ea936a82697a465bdf6093e1_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
83544683ea936a82697a465bdf6093e1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
83544683ea936a82697a465bdf6093e1
-
SHA1
1221e6db5631f38bcbfed6b700b046c8397791e8
-
SHA256
3b622ad73a4d3996bec3f59411a2e1fbf55cfe8ac017c7f39c3229b4dc9cd75e
-
SHA512
66dba311e3a75ea48851671f27dc5c9cef3ea200071efe406f287fc999c8dd4ea5ab31e644d9a3bfe54cca967599e13cc1d008cc35b4d8d420b9a66b27b79705
-
SSDEEP
49152:SnAQqMSPbcBVQej/37wSY88toex6jHaeCn:+DqPoBhz3y
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3278) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3168 mssecsvc.exe 1396 mssecsvc.exe 2704 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1140 wrote to memory of 2364 1140 rundll32.exe rundll32.exe PID 1140 wrote to memory of 2364 1140 rundll32.exe rundll32.exe PID 1140 wrote to memory of 2364 1140 rundll32.exe rundll32.exe PID 2364 wrote to memory of 3168 2364 rundll32.exe mssecsvc.exe PID 2364 wrote to memory of 3168 2364 rundll32.exe mssecsvc.exe PID 2364 wrote to memory of 3168 2364 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83544683ea936a82697a465bdf6093e1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83544683ea936a82697a465bdf6093e1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3168 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2704
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD598752da3c002acf3e754ef7c599ea300
SHA134c6f054da962e5b801fe8207dfc240f95486511
SHA256558268c93771e36f7a4ed06929faa11a6aa22baddb34d5bed15a489d068d58ab
SHA512bde95f1f22f03f18506392186dbcee6a5b8d11947be216b52ef6780f10f7b06fcd5f26f54ec69e1ddc8a6705a221478f5fe567289c0407177329b6a4542611a7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD557be8666bb55d612117efd8cd1ed762a
SHA15684dd3216fc4e4534cd83d6bf6a5032a6b13577
SHA25603066d388bd69e1f763021fd14c7b6088878875600a1de68e72281fe0c89768d
SHA512cb7fc0dfe051ddf02051d2304f32a3e0f328cedb8646d68786e064b1e5a8635263b38a7f14eec77d91d5bf9c2544494d7a7a1297b0ed435d66911e2b2a870ff4