Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 22:57
Static task
static1
Behavioral task
behavioral1
Sample
b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b08b35744e52a38a52f0c8a8d34a003a
-
SHA1
5cdb0d30ebe0979185e78f88c2503b8df9564a52
-
SHA256
8244770d31ed59a1d757dde65a2bfa0cdac088e7f11d57f99100cee47aac7f46
-
SHA512
6f7697f1ca88ed106ff8cb8961ca535894f0b9ae4b68e16390a8cb6487844d24a44898bcd62849f77785ae47175ae2e6d90bd3f40c91e32cf2c66dfbeea7398d
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P59cyAVp2H:TDqPe1Cxcxk3ZAEUadYyc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2684) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4472 mssecsvc.exe 3828 mssecsvc.exe 436 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2172 wrote to memory of 4952 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 4952 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 4952 2172 rundll32.exe rundll32.exe PID 4952 wrote to memory of 4472 4952 rundll32.exe mssecsvc.exe PID 4952 wrote to memory of 4472 4952 rundll32.exe mssecsvc.exe PID 4952 wrote to memory of 4472 4952 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4472 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:436
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3828
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5f427eb980d9d212790d2c82e2de16f04
SHA12a535ca6a301cabce28e4571f3247a307c85a85c
SHA2566bdb3786bf861522359386d2cc5d017e0e06e1fe5cbd1f1be43eee24f3def897
SHA51207482258f76f238dc7afe9f1f77913daf10f6f89ad5243b0e1d6751da8b857604e097effea1dcbebaca6f0028bc2edbe71bcc53787a7fc8c0a01ccbf6bc793c7
-
Filesize
3.4MB
MD57888f1f4e712ba42b2c5e6f02422b7ba
SHA1e71c10b85284f572620705e530b6aba644f3732d
SHA2568995cf65e9f0630a66a405507271f7f42b6c1cf59b9c17e0fd6608857736cd59
SHA51211373e6954032dc0b6576613368ec7ef6a26fdb8f4c73b7a5ecc15ad889ff90926c0ef1c0e89f4f3e6d400f6b2146c75f89f8715c896fe4cfc932bf8a5b30f43