Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 11:44
Static task
static1
Behavioral task
behavioral1
Sample
8a5f1c167c3450e13e06ecab6be7838a_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8a5f1c167c3450e13e06ecab6be7838a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8a5f1c167c3450e13e06ecab6be7838a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8a5f1c167c3450e13e06ecab6be7838a
-
SHA1
87db1835f6b7e4a1d2e3bf6a9f889d922a5ed213
-
SHA256
2e9d8ca583fdeff7bdec78d707d322cab949a22fd487bce721a2ad2b8d8a548f
-
SHA512
9df93ab449855b631084c785f00ccfb4b508a8d22d451914114c49515248fc359011be5715f39c3119e69a571e13fd1961b6de69e81347c0e181248ab7eeb063
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAM:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3232) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 600 mssecsvc.exe 3448 mssecsvc.exe 4420 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1604 wrote to memory of 3544 1604 rundll32.exe rundll32.exe PID 1604 wrote to memory of 3544 1604 rundll32.exe rundll32.exe PID 1604 wrote to memory of 3544 1604 rundll32.exe rundll32.exe PID 3544 wrote to memory of 600 3544 rundll32.exe mssecsvc.exe PID 3544 wrote to memory of 600 3544 rundll32.exe mssecsvc.exe PID 3544 wrote to memory of 600 3544 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a5f1c167c3450e13e06ecab6be7838a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8a5f1c167c3450e13e06ecab6be7838a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:600 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4420
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3448
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c9ae0f347cccf40cbc237beddac981d8
SHA102da17aa1ab0732385cc645a0f6f4da8c6b76789
SHA256ecd829bda76a0df946864052d1d19f400a8c7b79c6ef97b0ce2f9c7b41d072c2
SHA512d242595360e3bed4203da7cfd07b932038831e68e79ee07ef087cb52d138c806eaabac8edb8887c6942dc0c78be655a6d2481362d780b56f5943f781382161b5
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c1bbf0090ee11089390daa14953acd85
SHA1e08221568dfc20473b5d67e9ad38c2049df3a450
SHA2566ea6ba48f602e2aacea73f1251cc6c4f0baff94cec3487cfee0e0dee742a3b35
SHA512be9ffb7847d1953e8b52499eb795eae59857be679332ab88f0fc95493253c5fcad6b037cd026ba9fc1828d8cd9d8f19b63e0c602084ffbde257b9562fa6d6749