Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
05-06-2024 10:55
Static task
static1
Behavioral task
behavioral1
Sample
97eec0b6b94729d8cb65a97c6d7695e0_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
97eec0b6b94729d8cb65a97c6d7695e0_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
97eec0b6b94729d8cb65a97c6d7695e0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
97eec0b6b94729d8cb65a97c6d7695e0
-
SHA1
679351d838b41f2bc63e79a5ee55850fbdc4463a
-
SHA256
84bed894ab816f83ce0bbb01cfffd3b2230a04bb6f8497a107f92983200aefdd
-
SHA512
63d038d0ab17efc0265d454bfcd2f787dad7b2aa9439ac8bf17f3e9c63692fe4ca5253ee0e27a6a0b61bff0df309a5c9c4b6ba32a164a674153711441563f2cc
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8:+DqPe1Cxcxk3ZAEUadzR8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3180) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 872 mssecsvc.exe 1820 mssecsvc.exe 3988 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 32 wrote to memory of 4508 32 rundll32.exe rundll32.exe PID 32 wrote to memory of 4508 32 rundll32.exe rundll32.exe PID 32 wrote to memory of 4508 32 rundll32.exe rundll32.exe PID 4508 wrote to memory of 872 4508 rundll32.exe mssecsvc.exe PID 4508 wrote to memory of 872 4508 rundll32.exe mssecsvc.exe PID 4508 wrote to memory of 872 4508 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\97eec0b6b94729d8cb65a97c6d7695e0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:32 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\97eec0b6b94729d8cb65a97c6d7695e0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:872 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3988
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1820
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5500d2e5371e322be1ec8106b4d435861
SHA1529179ee4740102ee65614354ee423369f3db3b4
SHA25680dc07d14a6009a4dad3d7c67b8a7499cefb76d92d86e032ffb87a527a04ee15
SHA5127c1bf301c7b77826c7e4019e8202dfc7f884fc994aed56454ee59d5b13fb9856bfa3d7b015b0b3b85c3720748707e4d7f39afd73a5f8bac5cb6f15af45cdbf8f
-
Filesize
3.4MB
MD5d07ee41c415b6276663965c6a77ca108
SHA19e369824f823842945caa16b00c3dcde4c22f0c9
SHA256685a294c96facc796a53fdad6a9e7e3d57938db89d0d138370876323ec84ef0e
SHA512edbbf279734c0ce7fe840f069979f2bae1e8b4cdfb7e60369f5bfb24406b223474e01b0cecb6022903d3928a6a8f4d3333161ae4632f4f8e546cb6db7d4976db