Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 14:36
Static task
static1
Behavioral task
behavioral1
Sample
a60efb1e108358d11563585018a65f84_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a60efb1e108358d11563585018a65f84_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a60efb1e108358d11563585018a65f84_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a60efb1e108358d11563585018a65f84
-
SHA1
01ab4e7e573ec887b139faa7755339af727ebc4d
-
SHA256
46a56d27373b26c22194f61dac64935582048bd83f8de8dab9c76d96e0d8a546
-
SHA512
7768ba6ce5ff1282bcfb14dfd90134a2e8b16d87eacabfe885d0989ad30c02c14b74103765272f7c6004ad2d4a0658f8ed0bf0a45679c72006b41151fe22c63d
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2680) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4492 mssecsvc.exe 1484 mssecsvc.exe 1472 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3756 wrote to memory of 4160 3756 rundll32.exe rundll32.exe PID 3756 wrote to memory of 4160 3756 rundll32.exe rundll32.exe PID 3756 wrote to memory of 4160 3756 rundll32.exe rundll32.exe PID 4160 wrote to memory of 4492 4160 rundll32.exe mssecsvc.exe PID 4160 wrote to memory of 4492 4160 rundll32.exe mssecsvc.exe PID 4160 wrote to memory of 4492 4160 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a60efb1e108358d11563585018a65f84_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a60efb1e108358d11563585018a65f84_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4160 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4492 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1472
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD516a4b3403b802554f52eb5883c30c23a
SHA15a5a07a4b3515df2d87e170c6f7e114ae8350f0a
SHA256116d397f4520c825c33c8c9619acf82ab8c8e6698863358b1d5fd81d8bf0450b
SHA512538e0e7e2a41035492c2d25b5ac2f2854e00ee4bc5064c575a6ddd3414e93350ca007778927f61904c1a4667bc68c819c89af0843dd84a1475bae9ad8e7237bb
-
Filesize
3.4MB
MD5c3e244758e6de8e6338b6fa3357d9595
SHA159ad2f94cbc4f1003b3214d46aef8e2a13885b3a
SHA256f4c993f75dcb1223aecd4c54743102316e607862b4e7705af779355956625be5
SHA5125a3713243482a2a50a1377b622af5235eb2765069112e548cc8c8d1def1757b6d62dbf5d19a2697b669d904ecbdcac86b786ad237d13f78c7895f0b31b80f141