Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
a80b33ae1ceefbf0d864b297761c85dd_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a80b33ae1ceefbf0d864b297761c85dd_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a80b33ae1ceefbf0d864b297761c85dd_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a80b33ae1ceefbf0d864b297761c85dd
-
SHA1
39c8486ebd2bf7052c886f84d1fa6c4c3fc4f013
-
SHA256
a00b12e44cb4c3318330762c1e8ee9e2614867c4447b49b265a7634e4e852861
-
SHA512
fddc01dcd3d53abba313bf531a0ff39362c908047c6b043b5f11b212c8e7e94ae80f0889b5ffc6f3b1eb6f8371d4fc4657a01225ef13fc72937548672d08cf1a
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626:SnAQqMSPbcBVQej/1INR
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2682) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1952 mssecsvc.exe 1228 mssecsvc.exe 2776 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2100 wrote to memory of 5064 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 5064 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 5064 2100 rundll32.exe rundll32.exe PID 5064 wrote to memory of 1952 5064 rundll32.exe mssecsvc.exe PID 5064 wrote to memory of 1952 5064 rundll32.exe mssecsvc.exe PID 5064 wrote to memory of 1952 5064 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a80b33ae1ceefbf0d864b297761c85dd_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a80b33ae1ceefbf0d864b297761c85dd_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1952 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2776
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5466986e368d9ed44c708aae2c707578c
SHA1462b6d41fd4d26fc0f87a91c553730a50efb9b62
SHA256b0ab77621ba7362b29d29acd42f79e5a03748c3b0e73791e2a4f33b938e10279
SHA51267dde24c20874dacb5d2c003096fba9c4f0e081ac0c578c6ecdbfbdb8c4fbd3aa2aae8d5da9238109af32b576c89fea17f5bba35cb9e3e8b10405f7c3b892024
-
Filesize
3.4MB
MD53cb84024a4143e76401de7b8c5e0fbf5
SHA1e7a88ee92809a399cf6a0ddf0e363b9649e99614
SHA2563f611d1e66c61213948d31e9e67c263cd87c24fbb8373d923bf6408b2ddaecf2
SHA512b0d732e436a1e7dd67bf47b02ff16272ce81defd83afb0edb595e3cbb76e801687d399950bf454b3a9fd6c77ebfe278e3a31dee59e5002859c2e06c280732b39