Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 18:06
Static task
static1
Behavioral task
behavioral1
Sample
87dc62e9d0c0e82a6f495204aa970a47_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
87dc62e9d0c0e82a6f495204aa970a47_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
87dc62e9d0c0e82a6f495204aa970a47_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
87dc62e9d0c0e82a6f495204aa970a47
-
SHA1
9aad87c88e51124e25764d3bb5432262ee059a8a
-
SHA256
494d19f02baf2f2a9b6eb3de088c8911b8a11fac6c960850110313b46d3bfe96
-
SHA512
d47f2b03c4641825bf87bf91e02a9ff72b2a4b8777261d69291908085d92da57fd06768221093fa7f34d217a95088e4caac383907fe289698a80ca41771d6337
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxW7AVp2H:+DqPe1Cxcxk3ZAEU7c4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3297) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3364 mssecsvc.exe 3332 mssecsvc.exe 3008 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4524 wrote to memory of 4028 4524 rundll32.exe rundll32.exe PID 4524 wrote to memory of 4028 4524 rundll32.exe rundll32.exe PID 4524 wrote to memory of 4028 4524 rundll32.exe rundll32.exe PID 4028 wrote to memory of 3364 4028 rundll32.exe mssecsvc.exe PID 4028 wrote to memory of 3364 4028 rundll32.exe mssecsvc.exe PID 4028 wrote to memory of 3364 4028 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87dc62e9d0c0e82a6f495204aa970a47_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87dc62e9d0c0e82a6f495204aa970a47_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3364 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3008
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cc3a70ecc0e296a07e7f38fe72665c25
SHA1e0482f30e2c295f675721aaf1121059ef2db5da2
SHA256d3d0109630f864fb3cc86763061a27f388bb245814cedc62cdc086eb7916d50d
SHA512ec7622160b9e8ed218f305181fe19567882b3b02a6ec5ed6735f8ffb78832524833507f7ca95caeb236c02348d4e329f0c68d6e036cdd5ffc818be73f58603d7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50150f010140afdb31b7606baa110e0f8
SHA1a0997d2fdc309ab6d3c115fae736225123128992
SHA256b6e4c243f223148c33f102269ce48872584440bd3258bc435f9423f5e3b2c902
SHA51247220fd350dab3983f18c5dd624ca8042c39a946365f7b49b3dac29e0b65f9bb63d7569a69fda5990b8e7acc5411115aaddec9f4cfcd94759d8a199e1f3fd4d7