Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 07:35
Static task
static1
Behavioral task
behavioral1
Sample
5f9712ebac8e01ad652eb22faf575303_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
5f9712ebac8e01ad652eb22faf575303_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
5f9712ebac8e01ad652eb22faf575303_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5f9712ebac8e01ad652eb22faf575303
-
SHA1
1139a8bda8a7b5a9493838ff9f1f69a42b5bffe8
-
SHA256
bcfac336d155a89cb2e09559499c8d87b8bd1a690cf075089a7173a874b2625e
-
SHA512
c3b9a7095ccb3511b258b0b8d3c4db9eba8126cc2e7003f6f29645b89b323cd19477977ed61d79efdfd40f92aeedabc121b28760115240fd1ba1607b8e0eeaef
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRj+TSqTdX1HkQfSAARdhn:+DqPoBhz1aRjcSUDk8SAEdh
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3353) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4952 mssecsvc.exe 4840 mssecsvc.exe 4276 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3368 wrote to memory of 4272 3368 rundll32.exe rundll32.exe PID 3368 wrote to memory of 4272 3368 rundll32.exe rundll32.exe PID 3368 wrote to memory of 4272 3368 rundll32.exe rundll32.exe PID 4272 wrote to memory of 4952 4272 rundll32.exe mssecsvc.exe PID 4272 wrote to memory of 4952 4272 rundll32.exe mssecsvc.exe PID 4272 wrote to memory of 4952 4272 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f9712ebac8e01ad652eb22faf575303_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f9712ebac8e01ad652eb22faf575303_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4952 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4276
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4840
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5857018e3a113164751f35c9b2e081783
SHA1c1c4a786ea314e10b514da19b03903463affccdf
SHA256b9bb7fd86d9594c0de91bf427eb65b486fe704de0f2437da0df12a5ea9be7a24
SHA512d02c4ec5b2763d7e9a09f5ed6051e382d3afff1aee08ce872210a109bd49c72dd3e77ccca15b3dd858678d7dca7818d48d8130ec51a459a4227a80c564dfc998
-
Filesize
3.4MB
MD54c082b40c63985f83bbc68469f3947ae
SHA1ff7819efe83ff2e009fb329fb590aa9208ff6d8d
SHA256af4963c74d16ec93851286598e39d300899ae18dbb4e76a573e87ffa1746e15f
SHA5128200bf925a451e505207ff9cbbc371ee179247baf4a07ecb69a1e8014720833055d533dabe629af77c5c3658370441bc2d01047ce3d0faf532a38278d116bcec