Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 16:06
Static task
static1
Behavioral task
behavioral1
Sample
39d3523d629276a9c75f0e4bfc954c4a_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
39d3523d629276a9c75f0e4bfc954c4a_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
39d3523d629276a9c75f0e4bfc954c4a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
39d3523d629276a9c75f0e4bfc954c4a
-
SHA1
6fb54e3a7e8c9aa6d08b3f30436e7c6aaccc76aa
-
SHA256
61ca854a98214db0ac2a90843129135063bac09df891a67e551efb8d12d1a28b
-
SHA512
751b561d7ab65558b321c2c3a7f8ef7c6ab0d9b838ee361ab0bf5088eac9ee1be0dc78059ef5b6ea9e894e86a9587b7c46c9cf50eb7a1de48dec24d6731d23be
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INeRdhnvxJM0H9PAMEcVR8yAH1plAH:+DqPoBhz1aydhvxWa9P5vR8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3205) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 368 mssecsvc.exe 2620 mssecsvc.exe 1356 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1792 wrote to memory of 5060 1792 rundll32.exe rundll32.exe PID 1792 wrote to memory of 5060 1792 rundll32.exe rundll32.exe PID 1792 wrote to memory of 5060 1792 rundll32.exe rundll32.exe PID 5060 wrote to memory of 368 5060 rundll32.exe mssecsvc.exe PID 5060 wrote to memory of 368 5060 rundll32.exe mssecsvc.exe PID 5060 wrote to memory of 368 5060 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\39d3523d629276a9c75f0e4bfc954c4a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\39d3523d629276a9c75f0e4bfc954c4a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:368 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1356
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5f53b04d4b236af77e1853398eaec5a7b
SHA15f8190eca08e9bf233b74a3299c7b3ad7b9ff699
SHA256f5a7e64034c3d542f27a150a932165adbf5f75a811ad5e38ab6e0e32b44057c5
SHA512bfeceb1a7aada2151e9fc58c8deb22392b01578634eebef4698a6cbf644bc9b35460cf2a2aaffe04c80650dce60739c7cdad2d2f9fac61c2fb98ac29151d630b
-
Filesize
3.4MB
MD512238b0db2e97762b796e6c16ffd9a2e
SHA148da95af615de00b8e1f7997998e2cef8cd08781
SHA2569053e3ae9b5023cbe51cf99ca73cd941ebb44772627ff7e371681eaa96887e0a
SHA5123fed6683dd05532776f46fe818f314a8f5121c2f4ba340ae741b0bc45a215302d4d88b90e142ab9cd2ea5f7e270d988283386593fe2b0066d24f72daaa0d3620