Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 00:14
Static task
static1
Behavioral task
behavioral1
Sample
b5e95cdccb8441beb4816ec255b3b835_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b5e95cdccb8441beb4816ec255b3b835_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b5e95cdccb8441beb4816ec255b3b835_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b5e95cdccb8441beb4816ec255b3b835
-
SHA1
fac78aca5bc929910280531534216c0de9aed3bb
-
SHA256
5ffaa97f3fe9c0440aebb90b8ba5bcba1ae80b994dc2a6d160a328db21ed0fcf
-
SHA512
b1c5f153f25400fc10d6cab7d9899763ba7a60a362c7debb47b8c1e6111278d87f9d92bb0391dfb3aee6202fbf65f9386361019a69187e0357ff989e790621be
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAV:+DqPe1Cxcxk3ZAEUadzR8yc
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2674) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3160 mssecsvc.exe 5060 mssecsvc.exe 1952 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 320 wrote to memory of 652 320 rundll32.exe rundll32.exe PID 320 wrote to memory of 652 320 rundll32.exe rundll32.exe PID 320 wrote to memory of 652 320 rundll32.exe rundll32.exe PID 652 wrote to memory of 3160 652 rundll32.exe mssecsvc.exe PID 652 wrote to memory of 3160 652 rundll32.exe mssecsvc.exe PID 652 wrote to memory of 3160 652 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5e95cdccb8441beb4816ec255b3b835_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b5e95cdccb8441beb4816ec255b3b835_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:652 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3160 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1952
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD596e34b5d456e8c5a8e913ab23bdf92a4
SHA1fff5635408360eaed6ae56a7d2f172808731e285
SHA2563ef09546e585f842b997e5e8d033443cf837c79489d95a364100521308cb19e7
SHA512b90d44fc0f2efddc9b9c6778b303ca6f74f79f4f87b1301a18c44222dab6c954c597a20c8e7d5431c4b16b2f906800f217bbec84e407d76ad19f2e64c0f7c803
-
Filesize
3.4MB
MD5f5b2695668f69642b84eb02dc153f4c7
SHA1c12484dfdfd41bc3ad58e834f5a30a2e693cec06
SHA256baadd5492dded1448ded7da7272324e98a97119f0987ce00c3abc70159089e00
SHA512a031b09f7d3d850e751644b91d101201ba85f2384a20f77e0e03fe1d4f23d1fba2449e52ee77ce5017ea6b4973508fb55fc168ed56b1ba66c4f626205ad737d6