Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 02:48
Static task
static1
Behavioral task
behavioral1
Sample
936e496b96305a8133e70ef2aead7046_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
936e496b96305a8133e70ef2aead7046_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
936e496b96305a8133e70ef2aead7046_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
936e496b96305a8133e70ef2aead7046
-
SHA1
70697b299613aaeb917954e0143459dc6c6c007f
-
SHA256
23d125a5154e77a2aa89407f14d6fce217bbf224144b7f8fcffff19bfac15668
-
SHA512
e868e7126213dd8da13f7fdc71b0849c5df0c5b328a8af63f66e45d2860f1ada5d2e7f9e357a1db2ae0207e2bf9627fdc04ab28034309c813a5a73641e6bdd7e
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3278) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3856 mssecsvc.exe 4456 mssecsvc.exe 2384 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4144 wrote to memory of 5004 4144 rundll32.exe rundll32.exe PID 4144 wrote to memory of 5004 4144 rundll32.exe rundll32.exe PID 4144 wrote to memory of 5004 4144 rundll32.exe rundll32.exe PID 5004 wrote to memory of 3856 5004 rundll32.exe mssecsvc.exe PID 5004 wrote to memory of 3856 5004 rundll32.exe mssecsvc.exe PID 5004 wrote to memory of 3856 5004 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\936e496b96305a8133e70ef2aead7046_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\936e496b96305a8133e70ef2aead7046_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3856 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2384
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4456
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5da628998882e9c3de52f7dc9e932bfcc
SHA111fbea70fa2ceb2787a8fd5d0909cddd5ad32061
SHA25681805a928e0b2b79b8d436fd234e1322a164dc6bec4edd9092f74958dc82d780
SHA512d22b7eddee2c5b1cbb47efd3566db4a22fe66a894f2b2b74f9ab372cf38b41694ff238a6ef0495380c31b99e65ffa0c2813b241ee643d24ee3b5d807d189b219
-
Filesize
3.4MB
MD50ca614fe3ca4604907cfba73c3b40815
SHA1104e039f30626d60f160d1eaf32733c856cb26cd
SHA2569ca0d86ed9f2c9a85d6dd1316d3f5b25d9fe2b2560340d9295900655e05d6a69
SHA512c7c8d541080c667f671d5d5688e71468379bcc5989b075e4c9670f7c6a34f388e755bc7c360486b36a54614fa933cd23615b30d0fe341499437e215630f2ddd2