Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 23:41
Static task
static1
Behavioral task
behavioral1
Sample
a725bf924d21fc981dd173fa66bca35f_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a725bf924d21fc981dd173fa66bca35f_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a725bf924d21fc981dd173fa66bca35f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a725bf924d21fc981dd173fa66bca35f
-
SHA1
c8b034345bbfca6981c3932388a245218cca3d9f
-
SHA256
b2e147ea73d954d6938434c8f4e3fb68a3eac21d1770e39102f0c21cebb9acbf
-
SHA512
80b4d0ac7aa24c1a6abc904f7feb46f772e6d0c5307860c62a6de5320a5e1b5568cf49d2e15786241d7171aae12ee29824781b07f330352f95eaf5ed80645ae4
-
SSDEEP
49152:JnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H:dDqPoBhz1aRxcSUDk36SAEdhvxWa
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2663) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 936 mssecsvc.exe 3472 mssecsvc.exe 2448 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3648 wrote to memory of 4952 3648 rundll32.exe rundll32.exe PID 3648 wrote to memory of 4952 3648 rundll32.exe rundll32.exe PID 3648 wrote to memory of 4952 3648 rundll32.exe rundll32.exe PID 4952 wrote to memory of 936 4952 rundll32.exe mssecsvc.exe PID 4952 wrote to memory of 936 4952 rundll32.exe mssecsvc.exe PID 4952 wrote to memory of 936 4952 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a725bf924d21fc981dd173fa66bca35f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a725bf924d21fc981dd173fa66bca35f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:936 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2448
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3472
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5311aa9d4b29c9305a21d3d3097df96c5
SHA1881f45a13956c4edf8f20e7019692735c2581169
SHA2564f18bcddae09d98f2a407cf95c6327d6cff2c40237c94306b634db37c7f7e40b
SHA512443b5f0914ec86753ce3e49e4227777f0f5ae60e7650ed78ee064ef5954b0f01baee5fe539d6ac06de97bf642681983c85f38343735d757a9008c85db5243448
-
Filesize
3.4MB
MD51c25e5274a3e361c24eb883126ccecef
SHA10a5e0d6add60b23aeef69a60f9a00d941883c791
SHA2561f3b3975f824416ee12c9851b19c62184f67d0160203576e11a639c0dd5c550f
SHA512fdfcf9d2ea69c13f7eb5d5d52784e6a9077d3ab97e3347284d6d6eccdc7f8f3c9d09a3887bd40ee3128a22418a6b2db018255b4166c5e5a55ea31129ef92baa8