Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 17:33
Static task
static1
Behavioral task
behavioral1
Sample
95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
95b2c12e9afeaed5fbe056e49fc1eaaa
-
SHA1
223e0d98f84870b2a7d925b62eba5dcc64da6c82
-
SHA256
285a80c30114cd0759ce092586eb9d3ac5ebdeb01e2bdc062a74b7c0a9a6c45a
-
SHA512
6404dca3869606d3f39a0997040320755094f4a6bc11c5d470cf444e3f3089037a8f89985788a68d39a52fa4aa7c6058b82618fc253604c1b585ffebfc8d00f5
-
SSDEEP
98304:+DqPoBhzBRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPefxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2821) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 588 mssecsvc.exe 2292 mssecsvc.exe 3160 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1940 wrote to memory of 1628 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1628 1940 rundll32.exe rundll32.exe PID 1940 wrote to memory of 1628 1940 rundll32.exe rundll32.exe PID 1628 wrote to memory of 588 1628 rundll32.exe mssecsvc.exe PID 1628 wrote to memory of 588 1628 rundll32.exe mssecsvc.exe PID 1628 wrote to memory of 588 1628 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:588 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3160
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a2a3e10eb73eff854be52d6647698f70
SHA1f1162eb2213ef084bbc0e75a68e4654f2a0efed5
SHA25682d4d7a9a740f3c56c3c71d6d65af9ffe80a7f0839bba5af4d27135a8d3b6609
SHA51263bfaea06170adc82919cc1be74254035b9dc317b3b8890a63a3622b533cbc8835bb3e0147748397da07cec657157f22b0a84ee676b80bad0d18232fbfe157bd
-
Filesize
3.4MB
MD5a21d2a470b89d4c1916edd49e615e941
SHA1b31f148803f88330c870659a7b9a173aa422baae
SHA256438603dde75732b4f81fc31bac2de414a8060601c34c517c5b99f3f180c989cc
SHA5122a928d33eb8e6d4849234a3c6ba0b7a2f12cdedef39fdc26c98ac532772eaf4f2448571afd345d0780cc5a666b7e77cbb5872defe8b89a00c2fc9650158e719d