Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 04:23
Static task
static1
Behavioral task
behavioral1
Sample
b1b508f6e48d032bfd9ad276f9c8f86d_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b1b508f6e48d032bfd9ad276f9c8f86d_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b1b508f6e48d032bfd9ad276f9c8f86d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b1b508f6e48d032bfd9ad276f9c8f86d
-
SHA1
7c8c3fb551840a92044581f442f338cc0666a9f0
-
SHA256
d6434eea6725614187f29f4c1fb9436f2aa8b3a1f6f5b1658e739c2d0562eee3
-
SHA512
b8dfc1b21772be73c89595df4c1c84190df07067aa0fc4b054d0fc28bdb6796f78ce667a7099c6176010d021cf36a0faa6365c35c56b4423d29cf3fc00b7d489
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626Wo/Gsl:SnAQqMSPbcBVQej/1INRAW+Gsl
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2673) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 232 mssecsvc.exe 2984 mssecsvc.exe 516 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 920 wrote to memory of 2932 920 rundll32.exe rundll32.exe PID 920 wrote to memory of 2932 920 rundll32.exe rundll32.exe PID 920 wrote to memory of 2932 920 rundll32.exe rundll32.exe PID 2932 wrote to memory of 232 2932 rundll32.exe mssecsvc.exe PID 2932 wrote to memory of 232 2932 rundll32.exe mssecsvc.exe PID 2932 wrote to memory of 232 2932 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1b508f6e48d032bfd9ad276f9c8f86d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1b508f6e48d032bfd9ad276f9c8f86d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:232 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:516
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5cebc61bb7da1c54560be22c34b13b76c
SHA1e2ccb9ba6d7377b106a62a9968f093cb153095a2
SHA2565e04837db4d06a38dd08cbf861f3415579f349e31e9ca998e318320671975d04
SHA512254dfd5b8064c9a1861e782eda6e0553143a78878e03d0586fe38d54a9aab94ccd740872d29c9083c8d0d95d4915a5acf4ee1451f831ddf88f434fc97ac8f41f
-
Filesize
3.4MB
MD56d9e02cbc2b890d9ff66431c2d53b6e0
SHA18fb54d846f2a9411d36b14d98f45733e57c8f46d
SHA2567df8f55ef753302be3c6fdf2c1f50c36a537f720f2ebbb3efc6cd054a4705e6d
SHA512ff17bc1ee5e95ecf0661dae1822cb59cec41555a62405d2124e6619a61320225be52a6f1664476918ac7561e0a34b579165b8946b3ed74057a77ddb80914dc72