Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 10:16
Static task
static1
Behavioral task
behavioral1
Sample
b2fa771f1bfd41dce4f01548dd3e068f_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b2fa771f1bfd41dce4f01548dd3e068f_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
b2fa771f1bfd41dce4f01548dd3e068f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b2fa771f1bfd41dce4f01548dd3e068f
-
SHA1
9940c3edb984aa57715346c69fa814540a87a362
-
SHA256
966808fedf628f70fc4c4585053dc92c0ff5653392752a63a5799360fbba700a
-
SHA512
384df77116bfc3e780c9a73367d1b2cb83394bf3c137b2f9f014a4e7271e82082718fb6c742896ebf1d04b0e7968b0596290c4bb4e1b61025198697450e5bf7c
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0INZtA0p+9XEk:SnAQqMSPbcBVIlAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3172) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3700 mssecsvc.exe 5020 mssecsvc.exe 4752 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 784 wrote to memory of 4680 784 rundll32.exe rundll32.exe PID 784 wrote to memory of 4680 784 rundll32.exe rundll32.exe PID 784 wrote to memory of 4680 784 rundll32.exe rundll32.exe PID 4680 wrote to memory of 3700 4680 rundll32.exe mssecsvc.exe PID 4680 wrote to memory of 3700 4680 rundll32.exe mssecsvc.exe PID 4680 wrote to memory of 3700 4680 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b2fa771f1bfd41dce4f01548dd3e068f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b2fa771f1bfd41dce4f01548dd3e068f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4680 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3700 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4752
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d57fcc1ba50a56046029fec58fc130fb
SHA1ec48dbf27f867700d4b042e4b5a92104133599a9
SHA256cbfe1f6eda09a33b98bbc86f10525619368355f7ee6a4fef8935b245ea10c180
SHA5127c0318fa3596494d88879ac05dea8d5e9a069cd60fea3dbe943c82093e71436c628570abad87888ed15bd55e8a45a7d679c80848a65b0d63093a79b6f3eb46f2
-
Filesize
3.4MB
MD5cd7d5e8c2a4477ad9fd7bee5bfa87a5d
SHA173b0ae8a2901b6655ab097b765c51f8640ce3cbb
SHA25661544d4e6b6f59fd4ab32c0f11e1dd1f01e8caa16cb7b3333cb4d1d8f4456503
SHA51232948ca61a607d94021ad014b228f64deac76e566ceecf227c72e644e0bbd375a6e9a646c2dd59149170ad2b6c8c9384d2bf4591c4ce940d433fa14716632137