Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
ad45992cb43e2046e375822501519b5a_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad45992cb43e2046e375822501519b5a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
ad45992cb43e2046e375822501519b5a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ad45992cb43e2046e375822501519b5a
-
SHA1
bcb0e897c806cdc8c150bc3e0d861d8409fbcdad
-
SHA256
56642eea5aba32106c2a63a6ecdf08c694cbd6840417e7d6ad8b9b828499a576
-
SHA512
6b6d6122851c1a8c45aa69ae649e0653b26a46d9a68089db1555ff6a52b7229e175bfd52b56adfaaf1915c0a9590cdfca40239ffc5924ccb72039f38e6f0e97f
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAVR8yAH1plAH:+DqPoBhz1aRxcSUDk36SA0R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2671) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1332 mssecsvc.exe 3496 mssecsvc.exe 5012 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1172 wrote to memory of 1796 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1796 1172 rundll32.exe rundll32.exe PID 1172 wrote to memory of 1796 1172 rundll32.exe rundll32.exe PID 1796 wrote to memory of 1332 1796 rundll32.exe mssecsvc.exe PID 1796 wrote to memory of 1332 1796 rundll32.exe mssecsvc.exe PID 1796 wrote to memory of 1332 1796 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad45992cb43e2046e375822501519b5a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad45992cb43e2046e375822501519b5a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1332 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:5012
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b7de0e3d563ed16a13549c10904db556
SHA13e07aa72f32f1f4e57c1350f47cad8aba7472d6f
SHA2561fb6c222ec5f4c80fafb22deec5046d9341ec5757d8d253376a21af0c03f2a92
SHA5121130d04e763726b3e6a723f07720d4ac4c087cd9911d914d9dd14772d8ff8b25008dd5ea742763fa45fecfaae2cd38da5ff397f0e75c2043a33a4af48c674794
-
Filesize
3.4MB
MD534254469a1eeea38c6afd1a98bec0495
SHA1946e0608b9804cd0aad52c5ee2f71a9aae358967
SHA256c2371619ab716c65d3f05f82b85b144dbf1f4928cc1ed23963423c6267bd034a
SHA5125498b8f645c2ee922a50d5c229826d26af4ef8c4d39ed9675fa903e66609e0413ccd2d1a3b36eeb8fb886bd7de56e2172377d62a3de9ffde373b2d5a38fc4cf8