Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
10-06-2024 22:58
Static task
static1
Behavioral task
behavioral1
Sample
9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9c38a8a1a32a471f7f969cc3eeb43a02
-
SHA1
75e831729706ed7f50d68337bf71efc4d7e347ae
-
SHA256
d77d6cdef6e906971ec74c6fe200bb954581fba04c08247381557c3ebae22cc8
-
SHA512
5da32a15c98562b413b0c62e887c21a49943680f984c2aaa9c5d4003ef867c5fa179cb490a00196d756ad3afa5bbf7ced76a2272026fa3e45d43ee7a76adddb9
-
SSDEEP
98304:+DqPoB5z1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPO1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2690) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4008 mssecsvc.exe 596 mssecsvc.exe 2168 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1948 wrote to memory of 1920 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 1920 1948 rundll32.exe rundll32.exe PID 1948 wrote to memory of 1920 1948 rundll32.exe rundll32.exe PID 1920 wrote to memory of 4008 1920 rundll32.exe mssecsvc.exe PID 1920 wrote to memory of 4008 1920 rundll32.exe mssecsvc.exe PID 1920 wrote to memory of 4008 1920 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4008 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2168
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57389bafd564190dd7549d1c30616d516
SHA128f35901cfa0f42a9adf77b186ce750a18d85736
SHA256d77ea687e621048e148e573d68d8f0f90b81c72d1da49e344b27edde64ba53d3
SHA512e9cef730d4963bc8fbb9bafc6f66bfd2f1dbf6425caae224f9d7ddb06bd778cb75f126b9c4d564189fd062f804c3813a45c6c56fc16f6379f6138fd42bb9ac79
-
Filesize
3.4MB
MD5f11f68e66d13ad8212897cc32adb0dce
SHA184d26b5f83eb688b66d8a6dbad17f76750aa0822
SHA256a7e92b68e90b891c9d41a00e827c2a965b4807717025be913d026e5dd3007699
SHA512996680d032f0cf9032d9a73aabd93f5cfc5c76eb25a4d9e9b507975813fd75ecd5e427ec0e4a10633895ea4c190c871392d07de948de6322e0b46bc63650cba3