Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 04:00
Static task
static1
Behavioral task
behavioral1
Sample
894db8bbeec08bdcacb8ddaa21feebed_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
894db8bbeec08bdcacb8ddaa21feebed_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
894db8bbeec08bdcacb8ddaa21feebed_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
894db8bbeec08bdcacb8ddaa21feebed
-
SHA1
50b593a42ea69ed53dcb8daaab54906365c4b01b
-
SHA256
abc192687665e185a0a3c52fb0f7c8709e037f2ee706fd33491077551cc1442c
-
SHA512
5e2272b4a8ea8a84eba5aa1443aa8e56c5a871255fc52c59296cfff76c42aac74e9f31860d8fcd448dfe0356eb52c4a4590d246f23b25782e7107febf4a21fb4
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P59:+DqPe1Cxcxk3ZAEUad
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3700 mssecsvc.exe 4032 mssecsvc.exe 1680 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4344 wrote to memory of 2568 4344 rundll32.exe rundll32.exe PID 4344 wrote to memory of 2568 4344 rundll32.exe rundll32.exe PID 4344 wrote to memory of 2568 4344 rundll32.exe rundll32.exe PID 2568 wrote to memory of 3700 2568 rundll32.exe mssecsvc.exe PID 2568 wrote to memory of 3700 2568 rundll32.exe mssecsvc.exe PID 2568 wrote to memory of 3700 2568 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\894db8bbeec08bdcacb8ddaa21feebed_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\894db8bbeec08bdcacb8ddaa21feebed_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3700 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1680
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55821d7401d6a9708e931130ab0711a51
SHA1ef2c2eb28a6368fd136cd729fca0026163d1084c
SHA2568f3494424b80ff468177cea2320256efd95f128d77f1b42a21681eb5c46f4d5f
SHA512c509f1bf8d298b83c1da80aeb4dd8f4d98456e242ef07ea31800076d3a76fa8d9caa2e1cd3dcdf1e26d70113929dbab9e7ccd38edfba484f075f6d13f93c993e
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50749681311c27dcae1f71a8d203d438a
SHA130ba4b8d7abc3dee3f27d086b2e67e4adaf2118c
SHA25666ad4a0f88bbe7cdafe0fe23d08028795b9196af77ae0c52ec1aa60db362fc54
SHA51249613836c9beb89f896a228f2f9cba947fbcea34bb486b2e9c07c3b37db4bb85c1bb9c4398e4e47efbffb68cbd427772a2b746ce38c96e308d307ef14a4991a7