Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 09:11
Static task
static1
Behavioral task
behavioral1
Sample
83af5088ba3db6b1d105e14ca84d69d5_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
83af5088ba3db6b1d105e14ca84d69d5_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
83af5088ba3db6b1d105e14ca84d69d5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
83af5088ba3db6b1d105e14ca84d69d5
-
SHA1
0a62814dffd3985cd0de23cff1376dad2d935726
-
SHA256
5797d247bfb6e387b7b61cc0c6c668c56fd85b76140e3992a534f2e2bea219aa
-
SHA512
9db1fbbb56c99b96c3bac03ae3b7252af6485ee51ae7b48aec85820d569dc25632e00fd357d4787c1fed195dffb312362d8a7f78cfa4d55b7c7562e214bcc214
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAaU+3az6Om3MetDZnh:+DqPe1Cxcxk3ZAaUhIF
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3213) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 992 mssecsvc.exe 4620 mssecsvc.exe 2812 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4572 wrote to memory of 3764 4572 rundll32.exe rundll32.exe PID 4572 wrote to memory of 3764 4572 rundll32.exe rundll32.exe PID 4572 wrote to memory of 3764 4572 rundll32.exe rundll32.exe PID 3764 wrote to memory of 992 3764 rundll32.exe mssecsvc.exe PID 3764 wrote to memory of 992 3764 rundll32.exe mssecsvc.exe PID 3764 wrote to memory of 992 3764 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83af5088ba3db6b1d105e14ca84d69d5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\83af5088ba3db6b1d105e14ca84d69d5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:992 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2812
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c17631e97b274702a6d4cce77706bdb9
SHA11529c341f49a7514605bdd26ae14a447f515f591
SHA2562cf47fb7bea77112a89b936121bfa1d173623157ce12c881ef7a434207a37a5e
SHA512a7ac53722fe3d4a968705e8b9f7b232a6da8fcb1bbf7e78fa4295c4230ca65ba7e3d5c10cd9cd74ea069ba71d23a1aa80e5e626a18f39465774c7bb52193faa3
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53c4086a046d89768b314d5a6d98ae850
SHA12e757bb097211b200e070c96d2e57f8a2eeef800
SHA2564992bb166940c9b7f7183ea360c382688d43ffaa7ce8d6a4f76d0fe38a41a8b7
SHA51292c1e43901824b896c4cd7367a72a07adfcf120f3e9274166730646ee838e38371027516262406a8a3d57fbd2942fa3622f847dcc21b8106b7c849866558daf7