Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 02:23
Static task
static1
Behavioral task
behavioral1
Sample
903e95f34e0f022737eb9d04651aaa4a_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
903e95f34e0f022737eb9d04651aaa4a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
903e95f34e0f022737eb9d04651aaa4a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
903e95f34e0f022737eb9d04651aaa4a
-
SHA1
26d5a4529616fc29ffdd0e627481e787d3632afa
-
SHA256
67569caf493d1e49e6f3fbaf46668b2940b025331ed00d0b689d409b56f2ac98
-
SHA512
534282df7ea6d2af273186e7c445cd6e9ea53b7505b5f99c0455655b02c93de285219be9751a950d13009262470925bd363fc9b2f074b085be0893c7f0fed8f8
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5I2H:+DqPe1Cxcxk3ZAEUadRH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3452 mssecsvc.exe 736 mssecsvc.exe 2132 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1588 wrote to memory of 1976 1588 rundll32.exe rundll32.exe PID 1588 wrote to memory of 1976 1588 rundll32.exe rundll32.exe PID 1588 wrote to memory of 1976 1588 rundll32.exe rundll32.exe PID 1976 wrote to memory of 3452 1976 rundll32.exe mssecsvc.exe PID 1976 wrote to memory of 3452 1976 rundll32.exe mssecsvc.exe PID 1976 wrote to memory of 3452 1976 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\903e95f34e0f022737eb9d04651aaa4a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\903e95f34e0f022737eb9d04651aaa4a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3452 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2132
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD562c9751dad73d0fbd7734a9089931bb0
SHA11596e8a0a7aa1a5df5189710e10e5438ea543bb6
SHA2564445e6641c8c492cdb9d1163e74c53239bf924cecf6de75942f1e36398d359d7
SHA5120d8d66e47603c8c21a726379d4da2d04ea829a0b9a3fc1409f82d2dd3ce3f62142466c7536095b467c8f817b70da3c7c8720c46a138009cf5503e4a7211a2a3e
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5345fff8cd452f7c9d1b2e18b3b44b802
SHA14a19d578b8aeeb6701c522960f66a988d35813b7
SHA256db6fde5bd5763ecefa75f537f20769dfc8d6c509dc984914b78710d6318e084c
SHA51256fd989ac05304b809c573fad1ad79ce091f864e2560ffcfd2656e534c17b214082d6aeb5a25a408e7066ad724e96ee5a526eee79b391aa3a8b83c72ea605d52