Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 10:11
Static task
static1
Behavioral task
behavioral1
Sample
8db79e0dc01626d2ba669f64d7e73b49_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
8db79e0dc01626d2ba669f64d7e73b49_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
8db79e0dc01626d2ba669f64d7e73b49_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8db79e0dc01626d2ba669f64d7e73b49
-
SHA1
0ab8a21fc0db6efc1c71ab35b80f4b360173706d
-
SHA256
dd1320864a592bc4e9210e6cd9981111356805cc268a1401fdd5adeb89a64438
-
SHA512
19613cc597b5998ca2a648d0735d969274b46e6d3d9b5cfc0c56d118217e023d39d733def1c669b57887b43fb280f521c6405704d1e7906e218fa9878c60ce4a
-
SSDEEP
49152:SnAQRQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEaue:+Dlz1aRxcSUDk36SAEdhvxWa9P59
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3156) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4520 mssecsvc.exe 888 mssecsvc.exe 4556 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1684 wrote to memory of 2172 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 2172 1684 rundll32.exe rundll32.exe PID 1684 wrote to memory of 2172 1684 rundll32.exe rundll32.exe PID 2172 wrote to memory of 4520 2172 rundll32.exe mssecsvc.exe PID 2172 wrote to memory of 4520 2172 rundll32.exe mssecsvc.exe PID 2172 wrote to memory of 4520 2172 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8db79e0dc01626d2ba669f64d7e73b49_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8db79e0dc01626d2ba669f64d7e73b49_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4520 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4556
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58bd0b0daea88bcf8a68a512c7a0a642c
SHA19f33fe747bd62c68739288dbc0378cf3d8be6067
SHA2562be95c380b539b787764dc241b028797537141685d575104797e7189dec477b2
SHA512aafa0e4a178a2c3b4e01ee0741d5eabf924ac35b955607f14aa4be6302dffad90ed323603e1185fc680bc7164fb9fba2056c202e7b1dc70ba70009c71490145e
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD514da574fce98bed3d179fb6fbd5a483f
SHA13e7d4fd3fe341b1234755a1ab8d6c403d5d680ec
SHA256fcd5a901a255db037b6558e987f42b492d7a5787968812b321828e6be79f01b2
SHA512f924056a7885ee3048287a467dea88aa7d986373c6ea15003d65748fda73330c8880e83081a520b4e33a4555972d1c48a150666177bf750d62ce530f49bc0eb7