Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 12:32
Static task
static1
Behavioral task
behavioral1
Sample
ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ae71e9ba6e85f9c40b52b2c467b4131c
-
SHA1
93eea8186db083b07e1919bf02e9f1830140683e
-
SHA256
8e051501bdc76a807f6f9fac9c35e0486cfe569387e83cc02db8f457831f7f41
-
SHA512
96d37b967f79faeae1b955472bd730a279c530db07d96af282f278a23946dc71321015b90a513290992211b809daafd80a25746b164e480280e3ecba22dfc414
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTtW9bXZROAx:+DqPoBhz1aRxcSUtW9J
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3169) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 968 mssecsvc.exe 1744 mssecsvc.exe 772 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4140 wrote to memory of 2408 4140 rundll32.exe rundll32.exe PID 4140 wrote to memory of 2408 4140 rundll32.exe rundll32.exe PID 4140 wrote to memory of 2408 4140 rundll32.exe rundll32.exe PID 2408 wrote to memory of 968 2408 rundll32.exe mssecsvc.exe PID 2408 wrote to memory of 968 2408 rundll32.exe mssecsvc.exe PID 2408 wrote to memory of 968 2408 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:772
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c401944ecf7a4e179776ab6a3361a9de
SHA1a0f35b374147ad559581e80c9cdab73f8d466068
SHA2567ad8f33638095c9fdbf19cf76298fa6b289f7e8b54020b02da0e45f417183aae
SHA5120d2e969b33769d303e36ff3a1ac67c4a1b4a7062eef0d694bf634964b45c7d81171b7e2246bbf3380a61d9f4c205e116ca56706fd365e9fa82ca5a29a51e66a0
-
Filesize
3.4MB
MD52d0034f3b51564e3351da23b48b02f4b
SHA1ff13439259e915e5f5cc59d0bd80b6c9e590d69b
SHA2564a4ffa6740649ff9b369b398ae9af3e0dc0fcce97b3c98ee3379f1d41fff168f
SHA51264561222ad29783ae540bb49e7fc9156f648f59bc822de6d68199834ed8332c68296a61b90f8abdcc6bb5872d5edbc2f1498a401ca64a66892d42b46ffbf29df