Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
06-06-2024 05:52
Static task
static1
Behavioral task
behavioral1
Sample
9a1940abeaadc51b10733e826a450261_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9a1940abeaadc51b10733e826a450261_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
9a1940abeaadc51b10733e826a450261_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9a1940abeaadc51b10733e826a450261
-
SHA1
44d0ae6e823f5ab51f5bb95a5850d6451d91db92
-
SHA256
5747125368fb92ebcda6a8f101cfcacb44927fd91276e75a9e51124a7200a79a
-
SHA512
c1a8c649e87e131d4b2dc3e7e17ac7487eba884476133059f0aa1759989572c577c7043aed10fa924f9828797bcf3671d045d99c62826ce320f42a0df56bdf81
-
SSDEEP
98304:+DqPoBhz1aRw6SAEdhvxWa9P593R8yAVp2H:+DqPe1CwZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3372) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 640 mssecsvc.exe 2428 mssecsvc.exe 516 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3924 wrote to memory of 4360 3924 rundll32.exe rundll32.exe PID 3924 wrote to memory of 4360 3924 rundll32.exe rundll32.exe PID 3924 wrote to memory of 4360 3924 rundll32.exe rundll32.exe PID 4360 wrote to memory of 640 4360 rundll32.exe mssecsvc.exe PID 4360 wrote to memory of 640 4360 rundll32.exe mssecsvc.exe PID 4360 wrote to memory of 640 4360 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9a1940abeaadc51b10733e826a450261_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9a1940abeaadc51b10733e826a450261_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:640 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:516
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD51d9bafa39a6d33f165fbff549e4f8e27
SHA1b5d0f58ec2f462c076de412e24ddda5daa9e2dc1
SHA25655d78c601fd821984cfc38f33f4f90e99f6f9959eee4e3a3b1bf63b096c92c05
SHA512338d1537b26ef90d37ace7ab2340cf91625e0d06cd4a462be4383b7166e2bb9b81609e468b7d77903d4f672af821925ae03ce9f8c57cda8b4416d622f47145a0
-
Filesize
3.4MB
MD5d0553fb42e06aa684d628286939376aa
SHA12f1a16b7e699ab69aae04a3eb95688a0cdbeed80
SHA25666e1c9d094b2e880596226ee80f3f05131fc464929e256afdf707ef24cd42695
SHA512f45ca7a0adac8aa1bcd7eef48d543047e391392cb2c2c5566fcdcd0816e8ce268190ffbe9dc1250b6713a888ec3c5310541bfb85d57b048b1ab166ad18d878ba