Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
89df4643198d4fa26bc265704470ad11_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
89df4643198d4fa26bc265704470ad11_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
89df4643198d4fa26bc265704470ad11_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
89df4643198d4fa26bc265704470ad11
-
SHA1
8c14cf6b4ff40cb0404c09a4e6b856af5d7656e7
-
SHA256
3fd647e0636cdc6559584720480f65a80d7c39f19f5da79fde445f98a0f483f3
-
SHA512
20e9e9dffd7dcfd4f1918395c066d59bbe7a1f1f184ece336f5e69e9394112efe4ea7b2e4bf7d058cc297fc69121000419493790f7a4fff02fe209e77eb9e699
-
SSDEEP
98304:+DqPoBhz1aRxcSUMk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Cxcuk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3364) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2808 mssecsvc.exe 2408 mssecsvc.exe 1484 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1652 wrote to memory of 2072 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2072 1652 rundll32.exe rundll32.exe PID 1652 wrote to memory of 2072 1652 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2808 2072 rundll32.exe mssecsvc.exe PID 2072 wrote to memory of 2808 2072 rundll32.exe mssecsvc.exe PID 2072 wrote to memory of 2808 2072 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89df4643198d4fa26bc265704470ad11_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\89df4643198d4fa26bc265704470ad11_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2808 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1484
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD52ae7812eeea8e7d78de19924987e7970
SHA11898e5365ad20665d6b37408d6f8b83b94116d18
SHA2561297c4970cdf137b1e1e75c11d61dd0c61e1406441763e665174fde3b69fb392
SHA51264db4d6ea68a113d6b3adc236c931b342c8f771bf5ce450142acfd06d2dcb23821163edfa563ac73418313cfd394b9015300689dbde6acba48d85c178e5f608e
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD534a717258b0ecd1174eb6ad3af5881bc
SHA1d0a985b4279355786233ea0205e19fa40166f03e
SHA256f53b64116917aaf5eb1e2e5af64511816d618d4a56e199214a66bd988651a73e
SHA5122b017bb62dfafe0fe60bab03fcc0ca84199e77b947872460d34a351fdc183e817f1d12d491ef6f3188a99ff748d3f846fea00597332b8bd0a11961849b0aa20d