Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 07:56
Static task
static1
Behavioral task
behavioral1
Sample
384bb8e3c6009c75472ef44706ddcfe0_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
384bb8e3c6009c75472ef44706ddcfe0_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
384bb8e3c6009c75472ef44706ddcfe0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
384bb8e3c6009c75472ef44706ddcfe0
-
SHA1
926802147c70c1853621d01a04f2f47e0d5b3669
-
SHA256
dcb39eb8303e191e1bd95e6bd1aaf576f66c7db90e1ca4ee9133e8b66b1b0001
-
SHA512
b0e54f06d2a9ae073831ecf55cda446b40adad97599f2f3a49cfb91812c1ad54a0d6660ee700b63e6da0deb7b8b534508a1892e7503171e9c9af45e00926379d
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA6:TDqPoBhz1aRxcSUDk36SAX
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3251) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4756 mssecsvc.exe 2280 mssecsvc.exe 4144 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1016 wrote to memory of 4620 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 4620 1016 rundll32.exe rundll32.exe PID 1016 wrote to memory of 4620 1016 rundll32.exe rundll32.exe PID 4620 wrote to memory of 4756 4620 rundll32.exe mssecsvc.exe PID 4620 wrote to memory of 4756 4620 rundll32.exe mssecsvc.exe PID 4620 wrote to memory of 4756 4620 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\384bb8e3c6009c75472ef44706ddcfe0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\384bb8e3c6009c75472ef44706ddcfe0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4756 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4144
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2280
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD543994b637c783ce46721df8f239dccda
SHA13c319ade0f7da6b341f7ef161bd9d2fdd5d679ef
SHA256305069f00300db09afba6260de0f588ce10de2c8f015bef0a10682c46431713a
SHA512e7a162cc9dc71f2c1717ccb3738662438acd8a8d5dce3bb2e0b17a503af268145ff546cf154ed8087ff688ae51e346b59b15528f6427672a09919eb044f7351b
-
Filesize
3.4MB
MD5cfb4f9435b8486b68c79eb512b87e4b5
SHA1c093f2d1124422f286e0e960dfa93bddbcfc3bc7
SHA256d327d99d14bcd439ff7314bed102dfde82997ba223bb118d47bc548b637c6a55
SHA51247ffa7c2eed5074ff42bd832947ca7f87dde393e4677a23c5cff2c969c92ec513d2df6eaba8a5014fccb9f80d52c05f6ba7cb9664f05bfd53f94b8291be3bad6