Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 09:57
Static task
static1
Behavioral task
behavioral1
Sample
8dadb8fd05dd1734501fc862a7135faa_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
8dadb8fd05dd1734501fc862a7135faa_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8dadb8fd05dd1734501fc862a7135faa_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8dadb8fd05dd1734501fc862a7135faa
-
SHA1
f2f6f467f7006025259fddd66b81386309ab0700
-
SHA256
3b133a754fc209550aec858dc4c2cc8024e640793173270e3d01c57b97848f26
-
SHA512
992a9806bfe2d715eb0b58dee589acdd7fa44a1a75ce794ef9c617d87443a6de9a5d3bfefacb7b965cbb15a730e254e261d0ac921c1d99143d105b688643783b
-
SSDEEP
24576:RbLguriIfEcQdIvrYbcMNgef0QeQjG/D8kIqRYoAd:RnpEjbcBVQej/1I
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3369) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvr.exemssecsvr.exetasksche.exepid process 1088 mssecsvr.exe 1844 mssecsvr.exe 4308 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 4 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvr.exe -
Drops file in Windows directory 4 IoCs
Processes:
rundll32.exemssecsvr.exetasksche.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\Windows\__tmp_rar_sfx_access_check_240605671 tasksche.exe File created C:\Windows\eee.exe tasksche.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
mssecsvr.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exemssecsvr.exedescription pid process target process PID 764 wrote to memory of 3620 764 rundll32.exe rundll32.exe PID 764 wrote to memory of 3620 764 rundll32.exe rundll32.exe PID 764 wrote to memory of 3620 764 rundll32.exe rundll32.exe PID 3620 wrote to memory of 1088 3620 rundll32.exe mssecsvr.exe PID 3620 wrote to memory of 1088 3620 rundll32.exe mssecsvr.exe PID 3620 wrote to memory of 1088 3620 rundll32.exe mssecsvr.exe PID 1088 wrote to memory of 4308 1088 mssecsvr.exe tasksche.exe PID 1088 wrote to memory of 4308 1088 mssecsvr.exe tasksche.exe PID 1088 wrote to memory of 4308 1088 mssecsvr.exe tasksche.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8dadb8fd05dd1734501fc862a7135faa_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8dadb8fd05dd1734501fc862a7135faa_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4308
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1844
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\tasksche.exeFilesize
2.0MB
MD51b2bd4c884938f2f612ad5bcfc6d8dee
SHA14b1aabcabdc588258e2053c0e94c840bfcbb8547
SHA256e68ce76eebc7677875e9241efe5ab3046d1f71e31a0af34204b6ff71e149884c
SHA512ba34ac388c277ed99ae3fe482e9fc5be39a1fa7f4048d1556feb31c6841ac211df16daa31a1e6e51d89aae83baf2d90909b806a4aeae45e12d7579a4bfe102e9
-
C:\Windows\mssecsvr.exeFilesize
2.2MB
MD558ff294624a691ed4d9b57e73a88a4cc
SHA1752c79566858a0ca0fb8f5f629aea6ef940647ee
SHA2562ca3eb47b146740b1cce064724a9fc140c53a3165a38a1025e2ebb4049d7673b
SHA51221eab38f93459e22fb7ffa210127cfac417650b8c57181f93268f3b42c2667044f4d42ecbc6ad6651b997057a563f7b008c3bf3598a606b973a6ac44c8caa5c9