Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 09:13
Static task
static1
Behavioral task
behavioral1
Sample
8d92dd74686187bf411fc0898848d77f_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8d92dd74686187bf411fc0898848d77f_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
8d92dd74686187bf411fc0898848d77f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8d92dd74686187bf411fc0898848d77f
-
SHA1
e685f2473c65ff02e897ed428a335222b7f8149d
-
SHA256
7cf6d0543975e3f4c2b0feae75fee701aa37f3ea441c575ad45e808d4ccdc089
-
SHA512
e50852922f4e14592e8cae486d7186c65327b3b9bf6e01038beae2606f020ea593fa145dafadfbfb9c9445cea0e86b292f6e1cc6f2d0134bc4005fa4e8ce5a37
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SA9hvxWa9P593R8yAVp2H:+DqPe1Cxcxk3ZA0adzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3279) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4868 mssecsvc.exe 4132 mssecsvc.exe 2372 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4640 wrote to memory of 4776 4640 rundll32.exe rundll32.exe PID 4640 wrote to memory of 4776 4640 rundll32.exe rundll32.exe PID 4640 wrote to memory of 4776 4640 rundll32.exe rundll32.exe PID 4776 wrote to memory of 4868 4776 rundll32.exe mssecsvc.exe PID 4776 wrote to memory of 4868 4776 rundll32.exe mssecsvc.exe PID 4776 wrote to memory of 4868 4776 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d92dd74686187bf411fc0898848d77f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d92dd74686187bf411fc0898848d77f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4868 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2372
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cf50fe69eda29727bb69c4bb5e99848c
SHA12c11a5e5a180583b0950640d4339fe0b17ac009b
SHA2565d3ce6eefb59d2e5e19d86cfa28ac4257fad770b855cd46f526519d6dca80b9c
SHA5124f544eaaafbb007ab67a84f66c30edaca968164a711a58360c0543d3db4588b3cb2b98c75f0bc0731576b4812f00161f07b856be738f0168320b2677bb871eee
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53de480b686405b531e54b7d5ce69fb2d
SHA1944bcd7657eab8724f4ad04965d086df5e43d13a
SHA2564097a557488f4731a6c7f50a9e1b727fe41bae347ae863dc0996efe62b15cdd4
SHA5128e36a695287bdfdb1169c2df2ed32feda49fac8d22072fe72b15b2774a14044df131a0d9d664bcfcd3ed4c7cafb451fde1296463e62f4e8c376ce60197a0a1c8