Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
957c02405029f88cf233b2b75c476d00_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
957c02405029f88cf233b2b75c476d00_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
957c02405029f88cf233b2b75c476d00_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
957c02405029f88cf233b2b75c476d00
-
SHA1
793a4225e49d00815e3112f4d86a8650e5c5af55
-
SHA256
834c8f099daf9f1c6ea4616b177f915d135e67f3cabca02a468da9194ca0b746
-
SHA512
8d2cf6249e5823cbbd2f9565216088d2b18ae99a3170edd2aeac34c8953314ab497538dbe9b833e43f27e718de79a42c434d7e0fe8d9529e2eec0a74f25c2d74
-
SSDEEP
98304:+DqPoBhz1aRxcSUZ6SAEdhvxWa9PZAVp2H:+DqPe1CxcLZAEUadZc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3182) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1556 mssecsvc.exe 5096 mssecsvc.exe 4424 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1192 wrote to memory of 2168 1192 rundll32.exe rundll32.exe PID 1192 wrote to memory of 2168 1192 rundll32.exe rundll32.exe PID 1192 wrote to memory of 2168 1192 rundll32.exe rundll32.exe PID 2168 wrote to memory of 1556 2168 rundll32.exe mssecsvc.exe PID 2168 wrote to memory of 1556 2168 rundll32.exe mssecsvc.exe PID 2168 wrote to memory of 1556 2168 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\957c02405029f88cf233b2b75c476d00_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\957c02405029f88cf233b2b75c476d00_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1556 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4424
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5096
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5165905c8e8d56d14e49afc0f1cc9bd0d
SHA15b76947c05c1f988864f7c3e070327dc43d5b39e
SHA2566a5996178e031e6438db8ada72cbb9efff935475797b066d20748b68ae2ed21e
SHA51281ad358e8c960d61d0618398b437b85fb749f8748f877c0e7e52b13895a5c6df57977a412881eafd0eb66768a140767fd28715a6dcb119b2646f4f74f3e56b2d
-
Filesize
3.4MB
MD5b43e84f45ae7285ae58e46b085d23535
SHA1e0533fcbb999911370460a0c225aad530972c464
SHA2569bb4650d1333bf8eb3330ad44b2f19ef1a3ec73508c5cb9e7ebf80f7c0be26a0
SHA512684edaafe0b21d71f97973e9628dc2443628e97a0bd5e80645fce555c3b32cad8c9fb1ce8f56ac39d1f08d66fb6c198f9e814eb9b2504554449f1d05b844e036