Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 18:26
Static task
static1
Behavioral task
behavioral1
Sample
b48f982c64375c10fc168deae12e70ac_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b48f982c64375c10fc168deae12e70ac_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b48f982c64375c10fc168deae12e70ac_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b48f982c64375c10fc168deae12e70ac
-
SHA1
a23c607e573be5efe3d2001caec3304cdf8bd3dc
-
SHA256
e919919b0615fcd5e7c878c08b0e98ef46730a5b5bb8cbf5661efb16f8a3ad01
-
SHA512
8aa653cf40aaf9b08d88ed76a946bc29a3ecc67bf264e9077b05e8a9459117a18bc3c54aaed72911ff8281eb028f90e3f75de6f6b01e77768b7136e771133626
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAMhnvxJM0H9PAME:+DqPoBhz1aRxcSUDk36SAMhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2675) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4616 mssecsvc.exe 4640 mssecsvc.exe 4848 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5104 wrote to memory of 2384 5104 rundll32.exe rundll32.exe PID 5104 wrote to memory of 2384 5104 rundll32.exe rundll32.exe PID 5104 wrote to memory of 2384 5104 rundll32.exe rundll32.exe PID 2384 wrote to memory of 4616 2384 rundll32.exe mssecsvc.exe PID 2384 wrote to memory of 4616 2384 rundll32.exe mssecsvc.exe PID 2384 wrote to memory of 4616 2384 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b48f982c64375c10fc168deae12e70ac_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b48f982c64375c10fc168deae12e70ac_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4616 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4848
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD50cff66ec3397a750350d4b0665d242e6
SHA1973a121460bd84120bc84adf98243d2bb2426db8
SHA256df121aaf9a066929478ee67f681089a19a618244627cb0faeecf3830568ba7f1
SHA512aba3fdce48bd48706e77352f3cebaa290eff98455b3ff46da328b4f650251ff076b4fdcedb3850107964f15a2fc16a490853012ed511237d9e3ebbaa33d4e70d
-
Filesize
3.4MB
MD5dae93edcd0dcbcc6356a9f53c755392b
SHA16ad73471b99c2a1e850598c1e4bd08a7bcd381fd
SHA256574835b083cc6e7bc0ae280fbe09310d716c373d91332bb4ea092d263e3fa850
SHA512f33a35981523616d7c11def4781b2aa34d31a9d23e339a38970fe204bf74fd6ed2313af20ab8613228e661ad4307998e5356b7e19c8d08b0249a8025ac9813ad