Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8c71fa95241242f37fbb5aacc7bb8b1d
-
SHA1
ef18845b9b8f0c4ff4d2a3c784651443ba120ab3
-
SHA256
5ca8b9ac8b109abd234db6368154665e437049bfdc992c3c80618927a85480e9
-
SHA512
36d34ad3df52cc3911112d5be248d264a204a1b8c01427e98d8d2f698347c5bdc63e1efad1a86a9108bf280762260bcc09542a6093efdbf339b38c467227c754
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kI29PO6lt/8uME71NZtA0p+9XEk:znAQqMSPbcBVQej/N9R3RhlAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3339) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3968 mssecsvc.exe 2020 mssecsvc.exe 1684 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1164 wrote to memory of 4268 1164 rundll32.exe rundll32.exe PID 1164 wrote to memory of 4268 1164 rundll32.exe rundll32.exe PID 1164 wrote to memory of 4268 1164 rundll32.exe rundll32.exe PID 4268 wrote to memory of 3968 4268 rundll32.exe mssecsvc.exe PID 4268 wrote to memory of 3968 4268 rundll32.exe mssecsvc.exe PID 4268 wrote to memory of 3968 4268 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1684
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD536d3544fcb2a73f026f9ce0b547a390d
SHA1e96e17e80b062e08f15a61ad5039942139b880f2
SHA256386e6d2538a6b4d045904bee628f391cd9a26c9fbf781cf454aa50bcb5dd8aa7
SHA5129818d0edd1cf4c3bc49435aab7af6ec5573051b04d9ee88591bfecb8afbb8e02c134c49611fe9ae9b70e3ddc2bd35652ad5cab34085a19a0eb3f231df6b9cbd9
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD52e9c41c8c4c8c4862b4bd67341e07f86
SHA1f3c7993c7602a2a8fa8ecc44550a04ad32db7bbf
SHA2567f4a7782d398f0aa0be22a622aba1522abfd1892461fd7c07c4e3ab41abe5103
SHA5122af90a8d8794bd9d923aab8d8948493065a71db4dc51c6ddedc7ed751f85ed7e2134e0f782ef54a96cb9f34fd766b1db214c1695cae75aeba88d92ac02ea53cd