Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 10:44
Static task
static1
Behavioral task
behavioral1
Sample
a941a68efba98916c3543124d545c929_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a941a68efba98916c3543124d545c929_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a941a68efba98916c3543124d545c929_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a941a68efba98916c3543124d545c929
-
SHA1
4f6aab140aba41adfc5d221403f85a64db4ac2bc
-
SHA256
2b0d7eb0e2a1f3c200116060867fe80b0bfc88c666fd4a1cf7bf22e39f3aed61
-
SHA512
0436620adf71ae00b416e6676b94365ec210db79308df93653faba3565730626064a64f146f70b124f6743599efd0b97f69405ed4beeac15de1c4067847b3f81
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM:TDqPoBhz1aRxcSUDk36SAEdhvxW
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2680) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1492 mssecsvc.exe 1800 mssecsvc.exe 2904 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3084 wrote to memory of 3420 3084 rundll32.exe rundll32.exe PID 3084 wrote to memory of 3420 3084 rundll32.exe rundll32.exe PID 3084 wrote to memory of 3420 3084 rundll32.exe rundll32.exe PID 3420 wrote to memory of 1492 3420 rundll32.exe mssecsvc.exe PID 3420 wrote to memory of 1492 3420 rundll32.exe mssecsvc.exe PID 3420 wrote to memory of 1492 3420 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a941a68efba98916c3543124d545c929_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a941a68efba98916c3543124d545c929_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1492 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2904
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD54f462abe5292853d6328e356305de4be
SHA157944a10d863969799fcc190ff1c7ebc3d723e8f
SHA2564b0c97e31fa57560606e1841305aec8e5983a4f0230d387e4a13dc7878cc958a
SHA512733ec291b13b92bac78d6c5334e474714814ada0a3d94157852e11c9ae0279d4ddef67b2685dd217e01cc050773e6af46cdf8f663d1d36ca188f720cd68cf48a
-
Filesize
3.4MB
MD54560ce126cc34e33839f4bafbeb801b0
SHA1ad3d81e70e7206fa255c12cbd3f863dfb72fb12c
SHA2565facb4bca8b6a43fcf064b33c80c8727633fdc2532b2e66402b5cd954109cde0
SHA5121aa20fe3e776def514c3b6035ff17e19373d07f0f4d8a39144484b31a8ba6368357d9db07b99e544ed27f7ee4856fd4fe50fea7f5aa7e85e408da7645f036d03