Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 09:09
Static task
static1
Behavioral task
behavioral1
Sample
adb052afc3a5dcef371014ee6c301e2f_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
adb052afc3a5dcef371014ee6c301e2f_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
adb052afc3a5dcef371014ee6c301e2f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
adb052afc3a5dcef371014ee6c301e2f
-
SHA1
51ddea9f9dba70af190e6b9eb7dea696398ea3e1
-
SHA256
27549a91bec864f1cc2342341759e484b8ae9e3ee278fb310739cd1a088bab42
-
SHA512
5cab08d141e8b2d2e0bec90477337f0fd2181e999a3a195c395d1da032da0a22b5ca043a2b55afda339d7682f39d20171eac1cd9647bf6f4f042ddcddb731b76
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INczcLh2+dnOscK:+DqPoBhz1aczcLh2+dnOscK
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3283) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1896 mssecsvc.exe 2068 mssecsvc.exe 3428 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2484 wrote to memory of 2368 2484 rundll32.exe rundll32.exe PID 2484 wrote to memory of 2368 2484 rundll32.exe rundll32.exe PID 2484 wrote to memory of 2368 2484 rundll32.exe rundll32.exe PID 2368 wrote to memory of 1896 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 1896 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 1896 2368 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\adb052afc3a5dcef371014ee6c301e2f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\adb052afc3a5dcef371014ee6c301e2f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1896 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3428
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD541a5c6abab1dff49e824adc98b5b78ff
SHA1de5ec3062727d685bc9ba04cffbc6194461ac59b
SHA2561b183526cd528e63abd3b0031e7e8a3c91cfb763e026402f9cc6344e8d24b052
SHA512afee2628df62535ada7a9035a192356d48e834f9252235b36dd401aa32eb717d652c8fae7cbb03e18e67dbef7af7e047f9d3dcb96c10de10a1310d1696523756
-
Filesize
3.4MB
MD50105ad83ed267920306c85c72a535c79
SHA1296a1f40add02ba8510f23fd6ad4e918481ea811
SHA25613875254a6284abc95e310df07feb6ee0bfb88bec025ac8da3d45c14d4b2c1da
SHA51254654c030f18c7dea1832b9484a1311d9ec0dc89831cde208885fc7b1ee65fc55cab4c7d54ac93082d8537062e3b1224d1b1c6f0b62ee517916d8cf86367d8ac