Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 00:02
Static task
static1
Behavioral task
behavioral1
Sample
ac23310d6d7ec72dc84de280e09f3a22_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ac23310d6d7ec72dc84de280e09f3a22_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
ac23310d6d7ec72dc84de280e09f3a22_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ac23310d6d7ec72dc84de280e09f3a22
-
SHA1
22cce1bbd3d23979de07d2d4b894eecb666536cf
-
SHA256
ef81a0b0ec5572f1094c8a64e02d552d3a1cd1cf68ed41743d4f6d16aedb539c
-
SHA512
f2aa64320ea083b4bfb260f282dd19c9d5e050381043a8e3e94544b70b0266b5787777ed7b6ed5e503b5719c057f792744ddcc1b5d2b18d3e5df60c1f2b6ae16
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQ56LLuYAMEcpcL7nEaut/8uN:znAQqMSPbcBVQe1AMEcaEau3
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2684) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1500 mssecsvc.exe 3224 mssecsvc.exe 3324 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3920 wrote to memory of 348 3920 rundll32.exe rundll32.exe PID 3920 wrote to memory of 348 3920 rundll32.exe rundll32.exe PID 3920 wrote to memory of 348 3920 rundll32.exe rundll32.exe PID 348 wrote to memory of 1500 348 rundll32.exe mssecsvc.exe PID 348 wrote to memory of 1500 348 rundll32.exe mssecsvc.exe PID 348 wrote to memory of 1500 348 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ac23310d6d7ec72dc84de280e09f3a22_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ac23310d6d7ec72dc84de280e09f3a22_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:348 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1500 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3324
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD52bb2b6e91bb173eb2b2b9c5853d7a555
SHA119a092b2606d18052fca01357ef887bec8c5cfa9
SHA256639da161f3af3013153a5ed74788c23126b6ee4e13ccf64f0c046f2f5817856c
SHA51255335cbbdef874b56fe5791c5d8638264239a0ce2bb6d19dec2998bcaa76e0f145424d81d5171581c704f0026a68244d15d2d9d352f32e9613dc416ebc0e5fae
-
Filesize
3.4MB
MD5cfa00c14186099176e1aeae3c4d8492d
SHA15cbdf2a6057d0508705a1d0a1ffd356516f5ae1b
SHA256c2dd07e89d92b8c57c37fdce051391823063650a7b30e8d398035b227d3ef951
SHA51215fd60705b6673570d063bd84995f23cee9f4183b94d59cd7a2043294177f0d0dfd4fff10666a1bb735120d32d806e8d301c937386b36ed21bc3a0e1bf398848