Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 21:44
Static task
static1
Behavioral task
behavioral1
Sample
ab9a268d6f83180b97d654ae87bd798d_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ab9a268d6f83180b97d654ae87bd798d_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
ab9a268d6f83180b97d654ae87bd798d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ab9a268d6f83180b97d654ae87bd798d
-
SHA1
4439672d2d2e5d7f9d75e77b41f730fd8f872efd
-
SHA256
b4f5ae81cfd91bef403be54221d5a6674d9fd49c3c99dd43cd6fd650d27124c9
-
SHA512
ace15525fda3efaa1227c7d6649365eb480c7395572a2231f968cb25f7150c86d0aa48b791b847525f671e55faea278bed508ab1f1bbd137a65aa33c35617eec
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2s:TDqPe1Cxcxk3ZAEUadzR8yc4s
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2704) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3596 mssecsvc.exe 3128 mssecsvc.exe 1212 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 620 wrote to memory of 3664 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 3664 620 rundll32.exe rundll32.exe PID 620 wrote to memory of 3664 620 rundll32.exe rundll32.exe PID 3664 wrote to memory of 3596 3664 rundll32.exe mssecsvc.exe PID 3664 wrote to memory of 3596 3664 rundll32.exe mssecsvc.exe PID 3664 wrote to memory of 3596 3664 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab9a268d6f83180b97d654ae87bd798d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab9a268d6f83180b97d654ae87bd798d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3664 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3596 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1212
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3128
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57a9b19308740068ec19844ae760bdbde
SHA13848f9a0904c070232a8cb1bbc647c91ec4f2740
SHA25638ffd3d0cbae63b80e6a8bc240c0817b9aff3456e76f108100883d6ab6f79790
SHA512b30f783e7083fd4769e51c82ee9f3fd840ead4379fc750bc0e21b0bf502af000975221650a63a869e65bc3773a2e4f5d395b27a73d82b58a3820acf1f77e9393
-
Filesize
3.4MB
MD5b28af569881d85a183a91438bc35abb1
SHA1857e19e8f2f9dd6c3a43f2defcf214fe116affca
SHA256837aa77b122962862d55e37c10f1544db08aaaf095d877e6265d7025334343b5
SHA51259614eba8868c06c159537bf594af154b56bb0f2f0c4ec09a104b5073526507e58836f3f16b454fa95327983359baf7e2f02ede4c597ab412be18dc574d26ec5