Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 08:46
Static task
static1
Behavioral task
behavioral1
Sample
ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ad9a429162ba44c3e9a67f961c6cf772
-
SHA1
7f1889d024d276c8f5b89858cdcb86603ed27b4f
-
SHA256
5ac61f72e937a61eb969759f64a5a4060153dc315d5deadfd2d2d84f109bbd79
-
SHA512
6ab21a2005d0db99e3cb0bf329d0edeb9b798de23acb1b7be065881f4eb7a2aba038a3079f51ef20e7e8e6cb4ba4f1a6f9307c4bda4ddc78c779a58da5acb8ff
-
SSDEEP
49152:SnAQqMSPbcBVzAMEcaEau3R8yAH1plAH:+DqPoB5593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3246) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 5016 mssecsvc.exe 3012 mssecsvc.exe 4904 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1928 wrote to memory of 3344 1928 rundll32.exe rundll32.exe PID 1928 wrote to memory of 3344 1928 rundll32.exe rundll32.exe PID 1928 wrote to memory of 3344 1928 rundll32.exe rundll32.exe PID 3344 wrote to memory of 5016 3344 rundll32.exe mssecsvc.exe PID 3344 wrote to memory of 5016 3344 rundll32.exe mssecsvc.exe PID 3344 wrote to memory of 5016 3344 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:5016 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4904
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c4981707b52e51df0841f0476894d6db
SHA1f62d2fa3ed07c86d3f7643ce2bfe6bbda050d151
SHA256e44250667e1f107a2425402b355171c19fe63b0b0de625ed952234c31e0fe262
SHA5123d7e7d714f03a657eb2a1c34a7cfbab6a6bc811dac5a4d8cd60ac57f36726c188c0ab662b1e22e662a107576d105ed518405a1b795023a72f6bdaebdcc9486c4
-
Filesize
3.4MB
MD5846bb9842a13355a8398ca894e8d00c1
SHA1a2eb535c89fd44a3fcaa2b2e4ad51b6227717aed
SHA256241dbd92f8dee3168efd05fdb6c3402129fa9701d032f98974febc1e2980166b
SHA51284b6c141b8ad61c27f7ce2f6837dd129629371568107e0d132d2a72cedc8506147dfe8ed63b9c98607aefbb0d4e876fe2aeb47508ec49d6a0b798389afcb183b