Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 02:38
Static task
static1
Behavioral task
behavioral1
Sample
b15e71b5a031527708989dfae13bc628_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b15e71b5a031527708989dfae13bc628_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b15e71b5a031527708989dfae13bc628_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b15e71b5a031527708989dfae13bc628
-
SHA1
968f15028490863d26fc18d13067c098420f9f37
-
SHA256
008e95f1485ce1bc0d4aab8b67cb8ee25f01b0d5d5d8503f7c062be97133786a
-
SHA512
6d87a3fd962af7ee3557db33cdf6fa491c4ec13aded99b5b75a53b5eaee477f17b4f06a981bfcbde3286d75184c56b9e166f6f67573e532aea5b07a9a6007536
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9ONuE:+DqPe1Cxcxk3ZAEUa
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2662) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4776 mssecsvc.exe 2248 mssecsvc.exe 4716 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4296 wrote to memory of 3972 4296 rundll32.exe rundll32.exe PID 4296 wrote to memory of 3972 4296 rundll32.exe rundll32.exe PID 4296 wrote to memory of 3972 4296 rundll32.exe rundll32.exe PID 3972 wrote to memory of 4776 3972 rundll32.exe mssecsvc.exe PID 3972 wrote to memory of 4776 3972 rundll32.exe mssecsvc.exe PID 3972 wrote to memory of 4776 3972 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b15e71b5a031527708989dfae13bc628_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b15e71b5a031527708989dfae13bc628_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3972 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4776 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4716
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2248
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD59cf00d9e192bab8f38daaa780492400a
SHA1489951fddc8df27d10a4d0c7d5cc463fb7f41ff6
SHA2565f2fc4508b53dd5afde0a841c04557a8f1f6a97be08d06f4b48a0396f1aa4c8b
SHA512445faf1802925561e07665748da9cc44a34add4d19f04e09cb269b85f169bada47f39d4952e1e3cdabaad767569b3a56377537572e7215055a231f907bc3192b
-
Filesize
3.4MB
MD574a5f72a542da4d1acd1aa303e2869e9
SHA19a50a3e43a1f46c66684e29b69e80a6052201995
SHA256540002fbb56b070bcc4525299713a740d58c469b4201f963866702332a04f2c9
SHA5120ed70f97d14b4eb2dc4cb3567ddd5d902fe355f89589a32942819cf89e935bc94cc984b7cd6266c2e82de3f919932e88abb3e8c76277e63ba00730aa73f14d5f