Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 15:04
Static task
static1
Behavioral task
behavioral1
Sample
a62a80f7db409bb44290b25641c6694f_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a62a80f7db409bb44290b25641c6694f_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a62a80f7db409bb44290b25641c6694f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a62a80f7db409bb44290b25641c6694f
-
SHA1
56934df4b479198c6688a390eba74a885ff26fde
-
SHA256
fc2f145f2c1e2de9f5492e2987dd6e3859d0aabbe6f4dc703c86bb77b0086e5e
-
SHA512
80d27899fa0513e3e4649ea6969522b34a7999a0997ab88e2a8a747fa5312ee9b8ca35965e7148252d53eefabc0368171e0b14f413619709e321ccad8acfa21e
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQ:TDqPoBhz1aRxcSUDk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3225) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1480 mssecsvc.exe 1532 mssecsvc.exe 3236 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3116 wrote to memory of 1108 3116 rundll32.exe rundll32.exe PID 3116 wrote to memory of 1108 3116 rundll32.exe rundll32.exe PID 3116 wrote to memory of 1108 3116 rundll32.exe rundll32.exe PID 1108 wrote to memory of 1480 1108 rundll32.exe mssecsvc.exe PID 1108 wrote to memory of 1480 1108 rundll32.exe mssecsvc.exe PID 1108 wrote to memory of 1480 1108 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a62a80f7db409bb44290b25641c6694f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a62a80f7db409bb44290b25641c6694f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1480 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3236
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5eb803792a58e278cc0985dad15204919
SHA16095e74586d3bfdc4d5ea0269d5f9f32e2912ac5
SHA256e414785740575eb5b306c10d9cb6c6a84b19f7a8c459f4d272c398c36a03a338
SHA512cdc9568e0c67346b07690c80ae6ae2a728e8ca9b82ff3350dccdcf6637f5036731c3e6a8b67ac077c1dc63a9047e6e8e43e8586083c74ac07458c58a832b6830
-
Filesize
3.4MB
MD5c51ff01f733edf9d028866a973e6f35e
SHA1c52f9c24346b69d72d13569bd6565d8d23ab96e8
SHA2562d158c9d27d65ed554f4feee0cba57871cad4998e39fc025afa22ee21588c43a
SHA5120a95d9c98978d77e0f0e4295f2af79c8a04f47d5f917e1f80debe9a7587e53f1d1c3656daef82ec3f3942af1f70e08e6ef4a61b6a9cf46518134b557c5f605ec