Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 16:42
Static task
static1
Behavioral task
behavioral1
Sample
927bad2fc8fd2801ca6603b230a86281_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
927bad2fc8fd2801ca6603b230a86281_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
927bad2fc8fd2801ca6603b230a86281_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
927bad2fc8fd2801ca6603b230a86281
-
SHA1
cacfee040cd0155d3fdf5bac151c567a267f82cd
-
SHA256
711f13e735fe74a3c8521f02451ce86a716961bbe21dbf78dba14acb31d6741c
-
SHA512
4db14f8a0c740e98edc51457185fbe356319b4fcf25983bd91f4a3e341b0a0d74f4f76489e0fae1efe53db402fa8ee9d382e1e2000c4e73ba780b6b388b61830
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAExWa9P5MyAVp2H:TDqPe1Cxcxk3ZAHadmyc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3284) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1156 mssecsvc.exe 4932 mssecsvc.exe 3028 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2420 wrote to memory of 4292 2420 rundll32.exe rundll32.exe PID 2420 wrote to memory of 4292 2420 rundll32.exe rundll32.exe PID 2420 wrote to memory of 4292 2420 rundll32.exe rundll32.exe PID 4292 wrote to memory of 1156 4292 rundll32.exe mssecsvc.exe PID 4292 wrote to memory of 1156 4292 rundll32.exe mssecsvc.exe PID 4292 wrote to memory of 1156 4292 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\927bad2fc8fd2801ca6603b230a86281_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\927bad2fc8fd2801ca6603b230a86281_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4292 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1156 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3028
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a803185f2b5b6b80f3b900282c0afb83
SHA10e17fa43d8b26de1fe53211997a6657abf322b52
SHA256deeb5c7aae4f9ee8e177e5511d014c73736a75b63c533d4b101e9a3f317928c6
SHA512e405609cc407703dc9281964f12cb79cb1f00414bae7e1827de67f713a86234dab2e4984a40326e8de3fdf318741f7e886d44b0e0f111269c67b8306e9935328
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD582464f8af9d7b5a6da8c417989b1ec3b
SHA19902bdbbe6bf9b02714fe90a67a71d7bc1c0c058
SHA2563bb14ace48b4c220a65b55dccaae9a497e6e4d81669a65aa168d712a8333d69a
SHA512a8ef48b20ad211948ca76c9273cd45f5c5af701d7a53bb1ccfe3903b81c6ed2ebc2a89d115ea33b6b9a6ce3d5c143a3c7452f3fe850c071ec6c13399bcdc1c80