Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 10:15
Static task
static1
Behavioral task
behavioral1
Sample
a507fbb517751736c6dcf41c967d2a56_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a507fbb517751736c6dcf41c967d2a56_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a507fbb517751736c6dcf41c967d2a56_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a507fbb517751736c6dcf41c967d2a56
-
SHA1
39b95e8e1ef0d46b3bc853fa374f7429c3c4d10f
-
SHA256
25aef98f31689403efd787a1bc80edd87805a03bd2f61d86fb4dc823aa381450
-
SHA512
2c9cafc5af10e0feb286bad250fe24af2fb8c137508496b69fc93bd8e3a94151083faf61e16489f6e41c10671d5c32182b1b943c3b5434e134b68c9461da346f
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0Y8uME7A4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBVKR8yAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3347) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3772 mssecsvc.exe 1156 mssecsvc.exe 4840 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5092 wrote to memory of 2456 5092 rundll32.exe rundll32.exe PID 5092 wrote to memory of 2456 5092 rundll32.exe rundll32.exe PID 5092 wrote to memory of 2456 5092 rundll32.exe rundll32.exe PID 2456 wrote to memory of 3772 2456 rundll32.exe mssecsvc.exe PID 2456 wrote to memory of 3772 2456 rundll32.exe mssecsvc.exe PID 2456 wrote to memory of 3772 2456 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a507fbb517751736c6dcf41c967d2a56_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a507fbb517751736c6dcf41c967d2a56_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3772 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4840
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b8cffb216ac70b443fcd5e3d4da9866d
SHA1c08c4a8d93b7e6fdb6c85c06c9685cdb90d89956
SHA2567dd5323526062ec448c89fe44212787659e3b2bae7ab37fb20bf0517da7f8fc9
SHA512354b5695c8b3e60d0278bd9c1b6a58ccbc27b8590904af246c8c6b8dc57e2e855d9710c0f60762f9a1c1e3255090c1eaa6fc9f35e3e50cfc47df0f421d2ac171
-
Filesize
3.4MB
MD5f6ce03eb98bf554d3d34e82abcaf6dbc
SHA14342a29eb2b604ec980a1742436849b4df70d485
SHA2560f1cf1e0af34939c8d818e315ab77b708d29992ea1e1f0f4d27ab70dcc5d3e35
SHA512a1a91c1cd3386c1275d0658982de43cfcbb47dd6a514746285c54ecc01dadc2951b7e7915397ead8099bd3ad3fc8c301945f3efd44faab28860e4892f582ab04