Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 10:18
Static task
static1
Behavioral task
behavioral1
Sample
9476d1e5e154653db14527d81b3a174c_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9476d1e5e154653db14527d81b3a174c_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9476d1e5e154653db14527d81b3a174c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9476d1e5e154653db14527d81b3a174c
-
SHA1
1e985a82ebb778859b778024a717bf986ac183ff
-
SHA256
63e143b51ac8e3c8fbea70721277c23591efa2f4a235da9fbcc6ef6ae4842831
-
SHA512
42b6d87dd3488095248532aa0ac94ca80b4f70f57b5305a9052da99cce6b0d76c1bb573b2134e0550fe93c9fd2a8f31472d06651654e9a145e812ab7521d0544
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRuEau3R8yAH1plAH:+DqPoBhz1aRL3R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3251) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3776 mssecsvc.exe 3956 mssecsvc.exe 208 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1876 wrote to memory of 4016 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 4016 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 4016 1876 rundll32.exe rundll32.exe PID 4016 wrote to memory of 3776 4016 rundll32.exe mssecsvc.exe PID 4016 wrote to memory of 3776 4016 rundll32.exe mssecsvc.exe PID 4016 wrote to memory of 3776 4016 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9476d1e5e154653db14527d81b3a174c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9476d1e5e154653db14527d81b3a174c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3776 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:208
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3956
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b2e0aa14a73ab71dcf04a77f35689c38
SHA188146bc3aa85cf243ce3d423a3885fbc3cd0a08e
SHA256d9a1bd16dc684d82a44c9e9527fcb5e284618fca91b260a70059bc9a3ec382fb
SHA51272980f45714174d070383e930848ebc1c6f1c5ab9b17e98cb207573b96002d78047e2a041ef2ae702d3feff59b5cedc0f8624b41fbf22158d6659c7142c17708
-
Filesize
3.4MB
MD5df94a40a6a8b12834abbd2de6e67387c
SHA1c97eb8d95fdd8aa93969f06c3c62b0ddcd248e83
SHA256fe027f20645c585d8224213af9d4e74da76448ce821552ae337f213e6878ea93
SHA512522f2df1ea07417c193d0f05f086b01489985e46c58d9cf4449a4dbdb3aa0516dcd7773e613fcbe5382d41f7dd54d7b03cbc7ad40ff893c0d594b7a621dc5291