Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 05:55
Static task
static1
Behavioral task
behavioral1
Sample
ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ad143d855ed6fe12573a7b09efd6ee5b
-
SHA1
52f74369c47090ff862a28af995ed32feb942c05
-
SHA256
6c16edaca2f239d81cdf8209fdd224471960bf458dbba23c44f19fe86d716e7c
-
SHA512
beb64b9d37d043a21cab369f62ee52f0531e9eb71b742d7e9438d704485533f685ac3109376cff76b1559a3ba4814a9ce708be079fa37787056b0c9181e34204
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SASdhvxWa9P593R8sJ:TDqPe1Cxcxk3ZASUadzR8s
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3335) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1744 mssecsvc.exe 3108 mssecsvc.exe 2456 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4272 wrote to memory of 1520 4272 rundll32.exe rundll32.exe PID 4272 wrote to memory of 1520 4272 rundll32.exe rundll32.exe PID 4272 wrote to memory of 1520 4272 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1744 1520 rundll32.exe mssecsvc.exe PID 1520 wrote to memory of 1744 1520 rundll32.exe mssecsvc.exe PID 1520 wrote to memory of 1744 1520 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1744 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2456
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3108
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5478a30349e40d90f90f54e5e440e7265
SHA137cb981546d53825323cd39f952f06fb7d110a27
SHA256834390249a1c816b43be8f7049c3b9e288f918f375b484a936c834de5f9078a5
SHA51225580efcf94bbcf7e0ced87c9a362620013d0f322d433810c1d52cc12bdfc538eaffb84d97ee00ccf8dc6580e7bdc6d63ca68398797a29427849c206bf32945a
-
Filesize
3.4MB
MD50cb6eddf35473a5904a2b56bd391efec
SHA18111594e887e972bed1d9c3ab08fd324dcc4deaa
SHA256f9d55d230e908a6005593b0941840fffb83475ef69014ba20e81dea56309fd42
SHA51286627a974f9bade1222792ec978ae51c0de5571db66627e06a4d9fde5e100d4e3d267aaa9c1544a18793c8d55147bb603a31872df478dd238a547f32eb808e6a