Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 09:28
Static task
static1
Behavioral task
behavioral1
Sample
a8f823503d00a4109daae94eaca52d01_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a8f823503d00a4109daae94eaca52d01_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a8f823503d00a4109daae94eaca52d01_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a8f823503d00a4109daae94eaca52d01
-
SHA1
1cc861a4b4fe676c23f661fdfc46e1b0fd33c9a4
-
SHA256
396dd4f9315945f760e943f01b2d8a3ba0c2ccbfdb5a710b8f8cf792b546d493
-
SHA512
7250b2d16edae7e02b0fc0af3e6b20d4c193070526d8d84b3709d68985318f4413817fb32d92336c83ae2398d05e18817a79d0f3dc391b66f7259585a4f9d0ed
-
SSDEEP
49152:znAQqMSCNRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEau3:TDqgRxcSUDk36SAEdhvxWa9P593
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3149) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 5096 mssecsvc.exe 4196 mssecsvc.exe 2668 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3736 wrote to memory of 4948 3736 rundll32.exe rundll32.exe PID 3736 wrote to memory of 4948 3736 rundll32.exe rundll32.exe PID 3736 wrote to memory of 4948 3736 rundll32.exe rundll32.exe PID 4948 wrote to memory of 5096 4948 rundll32.exe mssecsvc.exe PID 4948 wrote to memory of 5096 4948 rundll32.exe mssecsvc.exe PID 4948 wrote to memory of 5096 4948 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8f823503d00a4109daae94eaca52d01_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a8f823503d00a4109daae94eaca52d01_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5096 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2668
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5db748a2b115c816e15c9581df5ac464e
SHA17576c96193e26bc44dcd4bfabdb2a9716d9438e4
SHA256b691fa1e6cf4a5d14ac7dd55d8e5ec9421ad8fba6d31f6102da3f3ba9d2c1f09
SHA512366c7c76ebfa5a3fddf11b583295ac34035e38dc71ee4ab9fe7cec9e4efd029f0d44bf9ccb1ee6c25be8945c79a5a39be358d41310436ea0289ff1aca88b22f7
-
Filesize
3.4MB
MD5da00941503e61f0d9d0fe5431cb9e5e1
SHA10cf1e1cd804613e0b8e17e874e1270c81ebfb199
SHA2563c4f89b8592fd9bc70ad56ece32f8ce4e701c42edfe521f00e47d844ea9f9299
SHA512f86cce23d0d511d60ba4487c4d84d5b45f837035de9e3582548ad728422c0ba063138738e07abc8956904805b94ad6de4d51eebcd5448b005625d344cedddb67