Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 15:25
Static task
static1
Behavioral task
behavioral1
Sample
af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
af15853ba75f038f0ec9b256c953db26
-
SHA1
0e6454be8f386a253ce50350f7e592d6e37f485a
-
SHA256
3318cd377e99133380674c6fcb5f845d04a7c3c9698b0a10eed5c50fdff13b25
-
SHA512
6eae530eda00894c7c04a22ccbfaadcf915a4f0b84991c42c90d24c2f5f898f0e8d553895485802ecf45385cfa61b2562c066d8bda28df14bb6539746e27d923
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8:TDqPe1Cxcxk3ZAEUadzR8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3290) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4292 mssecsvc.exe 4264 mssecsvc.exe 1008 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 768 wrote to memory of 3560 768 rundll32.exe rundll32.exe PID 768 wrote to memory of 3560 768 rundll32.exe rundll32.exe PID 768 wrote to memory of 3560 768 rundll32.exe rundll32.exe PID 3560 wrote to memory of 4292 3560 rundll32.exe mssecsvc.exe PID 3560 wrote to memory of 4292 3560 rundll32.exe mssecsvc.exe PID 3560 wrote to memory of 4292 3560 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af15853ba75f038f0ec9b256c953db26_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4292 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1008
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD538eb23176b98ab5b2e3f0889b07a4549
SHA1768d48eda8354e73a5144ba04fafc4eabc9b9109
SHA256caab28bd06cbf419db7ab2d9841b222d1507b8f446c2d86169e1b45e460d44d1
SHA512eacf34d469320e411143b419e7e16c237e3eb2da17be2185f1757f9ecf649ae246b835c2a92dbd775bc31b1e81740d7a65c815d32bfc4fe9da6f3f919dc403b0
-
Filesize
3.4MB
MD516a42dab43ceee83448d66af017f813f
SHA1cee73a8cf689f0d2f3a4930947f15a39e55803f0
SHA2563e41be7f4946a6c5c858fa62b331a84f8a54c5fb8d42b412a6ccbdd3851015ba
SHA51295bae8295680cb4c2c60038da8211d1ce9ef6895b375b3e36c1cb8eb7d99d609e4146a7697c7835cde1a41990036c2854aeaa086fcd9ebce7262dc51d2acf111