Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 01:05
Static task
static1
Behavioral task
behavioral1
Sample
a774c7e970b2c25f3d7aef04ae70d88c_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a774c7e970b2c25f3d7aef04ae70d88c_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a774c7e970b2c25f3d7aef04ae70d88c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a774c7e970b2c25f3d7aef04ae70d88c
-
SHA1
a8477d2f8c3cb66664c9fd8f7752fdfe9071f5af
-
SHA256
d3c9acac4d4adfd13475a49a89a81fb5ba6497b5ac61d4317fcc3bd4cbd92f37
-
SHA512
290cb300cb6d52761a2fd1b2ebb0aa871466464592a469752e2efa2175335219fbd058c92b288c6bdf5a08f52094f53a7ee0c6de4040ecb962202f981fcc612f
-
SSDEEP
98304:+DqPoBhz1aRxOk36SAEdhvxWa9P593R8yf:+DqPe1CxOk3ZAEUadzR86
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2687) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4044 mssecsvc.exe 1620 mssecsvc.exe 1880 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2368 wrote to memory of 1268 2368 rundll32.exe rundll32.exe PID 2368 wrote to memory of 1268 2368 rundll32.exe rundll32.exe PID 2368 wrote to memory of 1268 2368 rundll32.exe rundll32.exe PID 1268 wrote to memory of 4044 1268 rundll32.exe mssecsvc.exe PID 1268 wrote to memory of 4044 1268 rundll32.exe mssecsvc.exe PID 1268 wrote to memory of 4044 1268 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a774c7e970b2c25f3d7aef04ae70d88c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a774c7e970b2c25f3d7aef04ae70d88c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4044 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1880
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD531bde1b99268b625c812b14e0485a712
SHA1a684c84b711f004b82a7b109eff9a8b7f2d8cc8c
SHA25682b91702df30926c292961ad561642f8fca5708100b04e80fd5f5dbc4adb64ab
SHA5121a21e8a5ec1e792f73fc8965fc108ac06eec5d3703661478a35a3c2df06ef38d9182f9968724247ec2c4c3f466f53fffa2fd67ec03505417c0307ab8e6321b7c
-
Filesize
3.4MB
MD59a98585a1a7731c399ab8b69d689cc38
SHA14f381aebb919ad89455f1023be6331534a8f7a9a
SHA256dd39f84b3fb064c1f4e795ed3c0c617e0cd598b10508c5ea3f9d4ff4ea88eb71
SHA5126bdc6c410d2dc667a63bc749b4a83104a847cc7b1c84fc6dc5c27fa72132ab880e941d74552984b0698e80178d65a5c92588b3f93e3ad62392f821af10b99bca