Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 04:39
Static task
static1
Behavioral task
behavioral1
Sample
b1c22e18d7e3f126ba7692efe3092ffa_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b1c22e18d7e3f126ba7692efe3092ffa_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
b1c22e18d7e3f126ba7692efe3092ffa_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b1c22e18d7e3f126ba7692efe3092ffa
-
SHA1
8c945e136757b2a8cb889bdce0fdfdfbe6582504
-
SHA256
d8ca9921e14601f55d5d0aa81bf47ff2850531697ce50862a4c9489184a71768
-
SHA512
f7e1cfcfb39b20f2acc978916584a5b84cf56163d31c964dd403b9f4ecfa5753b3c2c316a57f9fdf20f7f07ba4dcadc6f3deea613a54a6e5c0001c5aaa2fe872
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7:zbLgddQhfdmMSirYbcMNge
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3228) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1840 mssecsvc.exe 1432 mssecsvc.exe 4868 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3680 wrote to memory of 4768 3680 rundll32.exe rundll32.exe PID 3680 wrote to memory of 4768 3680 rundll32.exe rundll32.exe PID 3680 wrote to memory of 4768 3680 rundll32.exe rundll32.exe PID 4768 wrote to memory of 1840 4768 rundll32.exe mssecsvc.exe PID 4768 wrote to memory of 1840 4768 rundll32.exe mssecsvc.exe PID 4768 wrote to memory of 1840 4768 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1c22e18d7e3f126ba7692efe3092ffa_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1c22e18d7e3f126ba7692efe3092ffa_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1840 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4868
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1432
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57f64fbc4ff36d8b483dee7393a75038f
SHA1aaab184e716ef1e4e6307af3bf41de2933abee03
SHA25656dd97957b6e2af0c5ae0f6766a6fa1eea221f86acd78af8e0948ce05324ee04
SHA5125561982bdaa4075b9feabc1d8846392b315a26f1f4e2857bbd45ed4ec5f154672c6ee9a10e0205f767847d80b6105d67ab9d323f942d4416bcfe5e51800b30ed
-
Filesize
3.4MB
MD57d127b5927509092c87db2a5d433de3c
SHA110ee49743677f8cf3120b7ff6423a6288f06b8ff
SHA256cf57bdc54874f8541e54638f8c460b07fc48d8c79aef511c05260d77a5ec4bd9
SHA512e86e510e88496475cd2f1db74146c1266f314625cb2909043f38fba2f1625b1d1a1127ca8dc4b27858dbd6403b149c5e16cf897c5ddda91dd347376613fa2b6a