Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 00:48
Static task
static1
Behavioral task
behavioral1
Sample
9c7b42a8055f57c835315d89ad1f3482_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9c7b42a8055f57c835315d89ad1f3482_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9c7b42a8055f57c835315d89ad1f3482_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9c7b42a8055f57c835315d89ad1f3482
-
SHA1
308fe16d1573ee8fa641c2e20023487ca25f9cbf
-
SHA256
8f50c9a8ed4e63f6efe327521dc6c54aa3fa592796583828c7959bbde543adcd
-
SHA512
9fcb35e19bcc42afc51ee728828bbb7735b480ddc5886a0e2151b7bb0d8a0564b451a6bc7f06b9cb35b818df9ea8723e68649e775212150f75a0c47c21d74940
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5F:TDqPe1Cxcxk3ZAEUadn
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2692) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3480 mssecsvc.exe 2288 mssecsvc.exe 1776 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1240 wrote to memory of 1712 1240 rundll32.exe rundll32.exe PID 1240 wrote to memory of 1712 1240 rundll32.exe rundll32.exe PID 1240 wrote to memory of 1712 1240 rundll32.exe rundll32.exe PID 1712 wrote to memory of 3480 1712 rundll32.exe mssecsvc.exe PID 1712 wrote to memory of 3480 1712 rundll32.exe mssecsvc.exe PID 1712 wrote to memory of 3480 1712 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c7b42a8055f57c835315d89ad1f3482_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c7b42a8055f57c835315d89ad1f3482_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3480 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1776
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD519178968d9f227757a9d3cca17245d8a
SHA171d681e9158335e0826941cac3201434e4f7c3f9
SHA2568d896776f9a97a90e49efc257f23933e4220f5204b8dfd1d90b2d5dc3cd1dab4
SHA51292be8cd012f7f5b3f0b0cc75b5a8cccb09f00619faa4eaae6aae468214e4b1746a162e1469691fd07ab0de7a6f44f9dbcb9f956ee2d749b81d6aee7f94b2982c
-
Filesize
3.4MB
MD5fa0b1bf06c539a26ec853463af7301a8
SHA16c413ff5032a37fb67c921a163493b0825f3ddc5
SHA25657bb0bbecc49c614f1d51354b7fdc7344af9315b150e81e2add578c1990977fc
SHA512250539c9855d82cc783db3db43c4ccefc634632e29e56438bbd1556585304fd0f3b860810643323c670c4315e0d123de582299ce88bb1d1533f6105e3efcd278