Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 21:52
Static task
static1
Behavioral task
behavioral1
Sample
a6be621dee55c1f80332d68ad4853cd3_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a6be621dee55c1f80332d68ad4853cd3_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a6be621dee55c1f80332d68ad4853cd3_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a6be621dee55c1f80332d68ad4853cd3
-
SHA1
3681f967a87ab6c3b07dcd9aacf9da30adeb8272
-
SHA256
53a43ff0c9043a537995558a6ad94dd9a41668c1f5cd4d195db7fbf2b066aa09
-
SHA512
1cf81fcd97c7ada68cd596d22a66a28975ba3c7a852e731c22cc0640c5d884a773143acb74ebbddadb1d856f9580665c605f7c68ca6d9faaa794268356acb444
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6Zdw:+DqPoBhz1aRxcSUDk36Zd
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2692) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2384 mssecsvc.exe 4212 mssecsvc.exe 4848 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1440 wrote to memory of 2516 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2516 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2516 1440 rundll32.exe rundll32.exe PID 2516 wrote to memory of 2384 2516 rundll32.exe mssecsvc.exe PID 2516 wrote to memory of 2384 2516 rundll32.exe mssecsvc.exe PID 2516 wrote to memory of 2384 2516 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6be621dee55c1f80332d68ad4853cd3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6be621dee55c1f80332d68ad4853cd3_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2384 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4848
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4212
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ebf75c92f4213abfde5ec3683d1895cd
SHA169bc8bcfbddcccc9f93439774a37ab39cdad68cd
SHA256de1739f2ce3460e346b2a83534fda7b2e8df38cf29a72c9af656f4a61fb096a2
SHA51270abd0523a2c83795feeb0199f3f4a437a5a79466e621f254f8a729afe7c919f650727d48185c709c37901f2648f1a04086a87c9e344d684ffacbd75d4204fed
-
Filesize
3.4MB
MD5bfd12eec647e9b9dc582825cc81fe572
SHA127a230982c4ef22505a0cfa643f1befd9b88b8a7
SHA256123bc427265409ec28a20d5b78a51ca72b955f0c7950f0f0e77ca86466f5ba34
SHA512a1697efce3bd39a4ec02c9719c2db3c2dfb9eacac2fd0c1752c63d2baa6013cd80801ec7f7ea90d778fa20bbdf78bbaefb8d8d4490ee57e351b06d23e4fdf652