Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 07:18
Static task
static1
Behavioral task
behavioral1
Sample
9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9fdf1f2ad7cd5225a57c91e333de2f44
-
SHA1
4651877bfa78921e926e19f655676c6025f4a747
-
SHA256
f6167721226b978b2225c31a8d9f94833de9555cf83186fff8970a7c41043fd4
-
SHA512
35c56b13c14ed3159e8bcd72cccb5bfd4c6240448c24338c4c6ac8d2562f551e4d0a15d3a449659463cfb507c28d75422c5d6cc22c263f1d8f1f8c9e960d8ba9
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWi593R8yAVp2H:TDqPe1Cxcxk3ZAEUizR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2685) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2776 mssecsvc.exe 5068 mssecsvc.exe 3960 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2924 wrote to memory of 1536 2924 rundll32.exe rundll32.exe PID 2924 wrote to memory of 1536 2924 rundll32.exe rundll32.exe PID 2924 wrote to memory of 1536 2924 rundll32.exe rundll32.exe PID 1536 wrote to memory of 2776 1536 rundll32.exe mssecsvc.exe PID 1536 wrote to memory of 2776 1536 rundll32.exe mssecsvc.exe PID 1536 wrote to memory of 2776 1536 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2776 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3960
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD539ba95f0b586a2ef517bb30c2c4a54db
SHA19ab4814d46a4423a560db516ecceaebe651ffa8b
SHA2563ba8288b842ff843cc7e4070614a8fa505e1ef9a1665bc8927e54b4dd5fd012c
SHA5129f335276ed609c0d406bc7d5ef1a59f8bb8ca352465d67747b4fa7ff7a188f5555323e5ce3d30833a3919e6fd86219d64a6ccbc955cd269fb953c02f7a77b29d
-
Filesize
3.4MB
MD59ec7a921022993aaabd0f0937f5194da
SHA153db809fedaa756916df059b8c73b48ae76d2ce6
SHA256967658e37edaa8aea880275da688ede7dc01b65bd83ae06e313d673c0066bed7
SHA512497da606fadf43aadbf581cff77342c57c1dc7139814e122da842fa579c3b5ac41768b4e345f9d676c706ea16faf42f3cbb86354f792b238e29837b15103b308