Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 06:22
Static task
static1
Behavioral task
behavioral1
Sample
93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
93da20793dcecca1f9cbccd3b3de8ba1
-
SHA1
606b2f5cfd4296762de9b767342df97412fb7cf4
-
SHA256
6f73d23dc235b9255b394a96f5d01e4d0040b72b1b727d459885a1d92e6b5235
-
SHA512
87a729c025efdf011464256068ad253b6cfecf8d75e94512cf29d4bfb95b8f6068cf64fe48aced6ac01bf08a734f9765789470d5e57207354dcd85a6a5e8bd55
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:+DqPoBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3190) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4572 mssecsvc.exe 3812 mssecsvc.exe 1412 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2776 wrote to memory of 4632 2776 rundll32.exe rundll32.exe PID 2776 wrote to memory of 4632 2776 rundll32.exe rundll32.exe PID 2776 wrote to memory of 4632 2776 rundll32.exe rundll32.exe PID 4632 wrote to memory of 4572 4632 rundll32.exe mssecsvc.exe PID 4632 wrote to memory of 4572 4632 rundll32.exe mssecsvc.exe PID 4632 wrote to memory of 4572 4632 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4572 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1412
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5146997f5831cf6362171888ce06e795f
SHA1013161b55f6825a53424b56baba5503da124ec9c
SHA2564ba2c444ec2dc1e7c67be46d6bf1d7eb83a826e4524709d22f6551ea83f4b951
SHA51245064461a8ff356a4d8cf4591e56d263e1cae0198a1268dd71418ebf653814b36572f9440c62a3a64b124a64b12794b71a0d414f9174f5a530c2cd457b5ea648
-
Filesize
3.4MB
MD53c3f38487305188cc58893126b7492ba
SHA1fc9ac88842e4dde20e1134279773ee8885f0c185
SHA25695e451949bfe0fec72d454467e3c136cb4cf44de759cb7537ade03736447b219
SHA512274b654c15faf63bcfd368ad4f26c7812c8f7a0b42de492f6ee23c4f996292367dec6496c87d408d5f753d96d18f9e6f3af3f2cc0163c9636a7ca259aa2d8e3b