Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 03:38
Static task
static1
Behavioral task
behavioral1
Sample
a7e032c3c1dd18dd0e23ba33f640da6b_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
a7e032c3c1dd18dd0e23ba33f640da6b_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a7e032c3c1dd18dd0e23ba33f640da6b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a7e032c3c1dd18dd0e23ba33f640da6b
-
SHA1
7cbd4ed0329a173f765e485d1c9e2a5dfaa28dda
-
SHA256
f40617cc37ea7fb45f1bf5d17bc8c0f9ae45dafad84cd4102532999446be1c33
-
SHA512
05c62ee03f4200c5b2ed85d672dc33bb540d9d8c71564cbfbc802f6fd62cf2d0628457686198d56d63be035b981f058d18982a2f8cf1183204c2b9047fb647c1
-
SSDEEP
98304:+DqgH1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+Dqk1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2970) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2008 mssecsvc.exe 1052 mssecsvc.exe 3160 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1908 wrote to memory of 4516 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 4516 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 4516 1908 rundll32.exe rundll32.exe PID 4516 wrote to memory of 2008 4516 rundll32.exe mssecsvc.exe PID 4516 wrote to memory of 2008 4516 rundll32.exe mssecsvc.exe PID 4516 wrote to memory of 2008 4516 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e032c3c1dd18dd0e23ba33f640da6b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e032c3c1dd18dd0e23ba33f640da6b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2008 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3160
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5748b1b5dc4a8760bd2b3d6299f7f7213
SHA1f30fe40b9d2764870363f1fb0a3f5ac6145fea5e
SHA2564a9101ada323760207a728969fd41057c5d4c8a1bdbb625056b7ae58bfb09a3d
SHA5122b84f7052d0297e0d2c084b7d474290bf8158c25f3b84c255fca3429df7b9bc4e86567f88d7dc63f833e4e6a14a98e2f32c1fe9d34fe46afb7f298c3912a3da7
-
Filesize
3.4MB
MD5d055bc95146ce16e7a9b69fce631842e
SHA11d71e8e250add0fc16ae0472850def80f88a9c44
SHA25699ac395b4b69a316fe58e10f5a1d6aacc10744d0e5dcbd49024c3b3b52791d4c
SHA5127ffaa98c2496ff95967c82c7dcbf615bdd13a806c455f1f6664c49f7df5be7c559a262c1297511144442637ad6fccb69ca3478500d74f4d2d4d7ff950f7c4d28