Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 09:34
Static task
static1
Behavioral task
behavioral1
Sample
b2ced5d50fb73c8573a4fc980640a3b2_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b2ced5d50fb73c8573a4fc980640a3b2_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b2ced5d50fb73c8573a4fc980640a3b2_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b2ced5d50fb73c8573a4fc980640a3b2
-
SHA1
e50a7c2b8ca0d2b05d740135798ef5e21ee6e9e0
-
SHA256
63aac53096ad0110be6b85a9bfb3b3664e2201bdbfddb292edc90aa5142fd46b
-
SHA512
b043d4a7336329a811300794a57260d1783490a03e65ee490ca7df6f808df7c7bf4fa107a3d1d7fd0339815e32da352331b91047eafef3b9f09aedd708b80877
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAaU+f593R8yAVp2H:+DqPe1Cxcxk3ZAaUkzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2685) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4548 mssecsvc.exe 2948 mssecsvc.exe 3896 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1748 wrote to memory of 1452 1748 rundll32.exe rundll32.exe PID 1748 wrote to memory of 1452 1748 rundll32.exe rundll32.exe PID 1748 wrote to memory of 1452 1748 rundll32.exe rundll32.exe PID 1452 wrote to memory of 4548 1452 rundll32.exe mssecsvc.exe PID 1452 wrote to memory of 4548 1452 rundll32.exe mssecsvc.exe PID 1452 wrote to memory of 4548 1452 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b2ced5d50fb73c8573a4fc980640a3b2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b2ced5d50fb73c8573a4fc980640a3b2_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4548 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3896
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5627a57a26cc16112a032043d131ea1f2
SHA19642819b121826929700e480518aea237c6168dd
SHA2568d4ad50d245d6da99d5aece8816fea46b570422d468ffd21fe1ba9074b4bad00
SHA5122cc96ec085cac79e56c3033f744e2c34c276938b46a497a6c00cb18affa68ad7f90bfe1eca559f224a64a33963fb6f51fb5dc54d833a63a0a66de817f76cfa79
-
Filesize
3.4MB
MD58baeda22710ff4b834b3c2bf3d97bc9e
SHA1c2d666ba1a0a6dbc66330d754fff4a6478f5a5b5
SHA256c3245e85f9d7969ae8cf3265429cb04cef3be9327e7d9fcb7018281ff1742618
SHA512b61ae9370f9c35ef94531e8672003260429537c1f9df6e6d3c4a77158aeafb583f80aec0aab9f903d08c94bbda00ba0a16cc3a0ee02c8ddd4ed1266141424a6f