Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 23:09
Static task
static1
Behavioral task
behavioral1
Sample
abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
abebc86c59b2aa2143a4aaf98ea34630
-
SHA1
385b79ff4bfe4dd43e06c287d11d1a067fbb5eb7
-
SHA256
fb5317e76d0f234aede9f26f60f40a278c241d27019518df2ab8909ead764788
-
SHA512
1395898edcc6ec8c97934711886cda105b5f8c4b5e1dc9ecf36ac8f9cf268882bad58945b369cc359557bc5b4ebba4e65c705c94f68f38ce9ab42f1403bf6545
-
SSDEEP
49152:znAQqMSPbcBVQej/1IwFvElh6h0mZQOy2DLscxez2Kr7GDVENG+VN+kszxR:TDqPoBhz1pv86h0mhEcwz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2680) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4700 mssecsvc.exe 3724 mssecsvc.exe 3684 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1124 wrote to memory of 852 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 852 1124 rundll32.exe rundll32.exe PID 1124 wrote to memory of 852 1124 rundll32.exe rundll32.exe PID 852 wrote to memory of 4700 852 rundll32.exe mssecsvc.exe PID 852 wrote to memory of 4700 852 rundll32.exe mssecsvc.exe PID 852 wrote to memory of 4700 852 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:852 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4700 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3684
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5093e8a1d86864424d3cdd1ebede4cc82
SHA107b534af48de27c84e046229cc25979fdbcaa53c
SHA2567cd796d59db7e7ac878ad3335522104e1422e6fc721b2f1c327007578df01502
SHA512df230b18fa382f8d419008ba2483fad3c08f910c0227925fef35d4d9a46ceeebe410d332326d0f2364b020dcb8de8253a9d2a9c6223e147d557369d1fa6eddf2
-
Filesize
3.4MB
MD5b4f7243af03b1dd769ff9240ac5efa9e
SHA14c33f4480a4ca13c434fe04d9f5a37cfb2691c37
SHA256e871c13560d924fe7adceb03e49b233127c970a4855fa607913778581fbde45e
SHA512c49ceddf726d6eefdb21573ccb5895089b0f28d1f411272bff5d86cb64b70d7535c9bf561e127c7d5a260adb482a33c26ee85d55f18938c2c43b3675fa725d6d