Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 16:08
Static task
static1
Behavioral task
behavioral1
Sample
a66bbb81819c7a53008288547034108d_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a66bbb81819c7a53008288547034108d_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a66bbb81819c7a53008288547034108d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a66bbb81819c7a53008288547034108d
-
SHA1
4362692ed7e98b5224314beb8ad1ff1afd8fed1d
-
SHA256
947837f99eadfc89901b66bb2688dc703a9355c8263c5de0b0103142a7fcea0c
-
SHA512
689a16b60a7e97d64ba29d3650bdb387bb17df1bf8bbafca9d02b03a64155dc753ed08037b440a4ed4397ad5e1bf6967d83ef8bf23457d169a5cb3af24f157bf
-
SSDEEP
24576:SbLgddQhfdmMd4scVNgeopJNtY+EUXDsh1ATL4pEjqEwN2gpndjb24XxiVL1RaQg:SnAQqMdfb3JlU8gfI19FXprotruq
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3090) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2660 mssecsvc.exe 3724 mssecsvc.exe 220 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3196 wrote to memory of 4044 3196 rundll32.exe rundll32.exe PID 3196 wrote to memory of 4044 3196 rundll32.exe rundll32.exe PID 3196 wrote to memory of 4044 3196 rundll32.exe rundll32.exe PID 4044 wrote to memory of 2660 4044 rundll32.exe mssecsvc.exe PID 4044 wrote to memory of 2660 4044 rundll32.exe mssecsvc.exe PID 4044 wrote to memory of 2660 4044 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a66bbb81819c7a53008288547034108d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a66bbb81819c7a53008288547034108d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2660 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:220
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD54fdbe278beaefc23039e6123bdc6695a
SHA1d98a7fdfe3538bcf36cfe105e585ff6baeda70d0
SHA256bff4ffca77939603d2e6f1d7cb24de6e41ec4e94afc306f6a434072585d2075e
SHA51219c7bebb56bac8cee879aa2eec83af020330977be9ddb17d881c3a757951216e717160f0786e7cd69bdebb6bb9ef0acb92578d339674a8b6e6165e793549cd0d
-
Filesize
3.4MB
MD57adbae7ddb75a3f753a4bbf8223bb4d2
SHA1c6c7a439322f1ca373d18878f0a2e2444fc166ff
SHA25696b3c39d380a4116cafd0abfbcf334b58655803a3046ab063a79fb0852823f13
SHA51299c16dd7b57a412f23ff544f9d53bed84a0b6d88581995ef0639531c14f3c9b169611da9bd618023f973d8f15dcbc48858c06e573091fd3893ea36cd4c81b86d