Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 14:23
Static task
static1
Behavioral task
behavioral1
Sample
b3f780c1e13af722eb9665a5fbd1f125_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b3f780c1e13af722eb9665a5fbd1f125_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b3f780c1e13af722eb9665a5fbd1f125_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b3f780c1e13af722eb9665a5fbd1f125
-
SHA1
505f2038b943dea44a0bfa28782be0326bfebf96
-
SHA256
f70f7f91fa783ff28d888e7a3cd71c748e5c09d65b28130ad703fde661488e24
-
SHA512
7d8213e94a3bde5bb1e54ae0ec9f920ad7e033e454f8387d3811d56127beb93115004955020d5f4e59d370ce0f70dab02be8bd6b49246289d1cdfb53b2099cc1
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5HRuDC2+:+DqPe1Cxcxk3ZAEUadzuDz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2697) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1148 mssecsvc.exe 2120 mssecsvc.exe 4060 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1732 wrote to memory of 3648 1732 rundll32.exe rundll32.exe PID 1732 wrote to memory of 3648 1732 rundll32.exe rundll32.exe PID 1732 wrote to memory of 3648 1732 rundll32.exe rundll32.exe PID 3648 wrote to memory of 1148 3648 rundll32.exe mssecsvc.exe PID 3648 wrote to memory of 1148 3648 rundll32.exe mssecsvc.exe PID 3648 wrote to memory of 1148 3648 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3f780c1e13af722eb9665a5fbd1f125_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b3f780c1e13af722eb9665a5fbd1f125_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1148 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4060
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2120
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD54ca26d29ab922c94701b85b3405c37a3
SHA1633fdbd6c4899507887bb42d85030b08c54c64ac
SHA2562c380793a5a6cfc7c736f763fe96cefa8cf3a78469d4e988223e4feb06163b0f
SHA51270de3f6436a6219c7c5c2163a01bbe063fb39cf403821f519dfc08ebce0211ed8bd66ef92ff1fc7d9ee6572b8c19f6f5085c632fdc0b17255627edd52a022339
-
Filesize
3.4MB
MD51400ab1e9d81a6f92176173cedde195e
SHA1e36d961ffd29ad98f77999e6b47351e24ddaba1f
SHA256b6c17e9f66a05adaf62ec1fff4d49b6e51f77285427470517e9c846c5202bf18
SHA51207e85f6f3e52fa90a9b1e6f78a7c25c09f295412bd8ff29af6a24986e62086b554d8e32c897c2be3abe93527ae55c37373d376a4b9d5f63fa5c16b00c6ba5184