Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 22:35
Static task
static1
Behavioral task
behavioral1
Sample
8fac35125dd08082cd705c6f4863b102_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8fac35125dd08082cd705c6f4863b102_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
8fac35125dd08082cd705c6f4863b102_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8fac35125dd08082cd705c6f4863b102
-
SHA1
947c39f8f0f782fedee7b1c69cc7d3affc6b5966
-
SHA256
bd5542da958f0dd35a98a7d70de6720a446549c45bab17cd4187c72a353095d9
-
SHA512
7d68970067ba379b0953ed9e7ea731732bbd57d691f233db92e58d1a93222417cbb1bb68c46fec5b8994c4368908c398b979736adc55be78cf4d8189a0297ce8
-
SSDEEP
49152:SnAQqMSPbcBVFhnvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBrhvxWa9P593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3256) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4692 mssecsvc.exe 4704 mssecsvc.exe 2084 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2872 wrote to memory of 1900 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 1900 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 1900 2872 rundll32.exe rundll32.exe PID 1900 wrote to memory of 4692 1900 rundll32.exe mssecsvc.exe PID 1900 wrote to memory of 4692 1900 rundll32.exe mssecsvc.exe PID 1900 wrote to memory of 4692 1900 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8fac35125dd08082cd705c6f4863b102_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8fac35125dd08082cd705c6f4863b102_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4692 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2084
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD525121953c461abc1f6ce5e4556acb948
SHA10e6cd0c884322d340bc64be0e3e5433b3d647165
SHA256c80a98e8dab24183cef31f412ec9454125c43f4818b76e58e43b2a23baae840b
SHA5121d5a9cff912830ad07d2ddcb459cbe1553ebbab62b5863009efb62de621cd0d4be493be4e58ae35d3252c98bfe65f23254bc210fd68abd5c8465129f9c5a8a84
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a564e1360917e8a9d67f8828dd48e18d
SHA19cbf30f2f848bfacd63938da2d2da4d3c49ccc3c
SHA25619b96ace78954ad9f6631ec0d7fa0967570682ebd68ec8cda916c3f7621eab22
SHA512d76e91a2f9e7d2bc42d580b59f44236732318bafd683098d6a46a3c711bd0f139509add4380da9f431d6a04bc28925be4dd85b745eb3f9eeea90b031e46c410b