Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
85c233320aca3c5a4546710283d8a850_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
85c233320aca3c5a4546710283d8a850_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
85c233320aca3c5a4546710283d8a850_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
85c233320aca3c5a4546710283d8a850
-
SHA1
1be3aa2014984ff46f178a4737ba71f8778900cb
-
SHA256
27085d18e0a778466c48612ba42f2b476c6924e0ad163d220d1bd5c08d5ce61c
-
SHA512
6c2b30f327e7311d66472897e680174f4262e48d27bd0e8cdbe8a04dc014ba2510af385bf00601b300451876353c0f8446448bf410944b41fe0ca888c523413e
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqTPVXmi:SnAQqMSPbcBVQej/1INRx+TSqTdX1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3369) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2368 mssecsvc.exe 448 mssecsvc.exe 4268 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3660 wrote to memory of 3504 3660 rundll32.exe rundll32.exe PID 3660 wrote to memory of 3504 3660 rundll32.exe rundll32.exe PID 3660 wrote to memory of 3504 3660 rundll32.exe rundll32.exe PID 3504 wrote to memory of 2368 3504 rundll32.exe mssecsvc.exe PID 3504 wrote to memory of 2368 3504 rundll32.exe mssecsvc.exe PID 3504 wrote to memory of 2368 3504 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85c233320aca3c5a4546710283d8a850_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85c233320aca3c5a4546710283d8a850_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2368 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4268
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c3544ed72b543399a563603a45fe33ec
SHA1de5b2707dd35d82263dade6c5c6ff8e80e8f5cb0
SHA25612a4320406b99e5475080186b9629c842aae6e82bc93e6d1d70f8079a6c34ad2
SHA51259868a56a6ad5bcd432ba2be2cdfe8602604ce08b4e3d8fa91d05dcbce4942149249a842109e5a3ddca5ae794b360d7feaa5fe3c5fc3c3fab1cad5c3af1db1cb
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5be739e971ede33657c86d9064466d389
SHA12b9db1f92da05a2dc44fedbeb3fcb9cff5330c4f
SHA25615536459a88987ba81c0c7021765babbdf6ee6c9cfc61c5c2dab36f9224df347
SHA5121a087219e227cabc5897a30dd6e66790ce0428a57bbefd250e271b98b86004ab05437094815d3473eaa0075801f9edde6596b7b455b93554f95d1d34c11855a8