Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 09:00
Static task
static1
Behavioral task
behavioral1
Sample
5fd7c5847a979da93eccc83311c7d20c_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
5fd7c5847a979da93eccc83311c7d20c_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
5fd7c5847a979da93eccc83311c7d20c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5fd7c5847a979da93eccc83311c7d20c
-
SHA1
19842decbad5349efd43bf0e5538829759d721df
-
SHA256
70e3971f4e7d182d1c4f4d960342e4621aaa8e9bc2807b9963c2ba7fe02c9618
-
SHA512
f54bc1a5e9598899467cc33466db1598a68aa3cd7ab4b94c3be831d5ae7c0f00c82df53767d17d627b61622040869d2fd40087b39a697253d2d1b42a634626d7
-
SSDEEP
24576:MbLguVQhfdmMSirYbcMNgef0QeQjGT6SASk+RdhAdmv:MnFQqMSPbcBVQejT6SAARdhnv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3161) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 4468 mssecsvr.exe 3760 mssecsvr.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 4 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 mssecsvr.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 15 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion mssecsvr.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3536 wrote to memory of 4596 3536 rundll32.exe rundll32.exe PID 3536 wrote to memory of 4596 3536 rundll32.exe rundll32.exe PID 3536 wrote to memory of 4596 3536 rundll32.exe rundll32.exe PID 4596 wrote to memory of 4468 4596 rundll32.exe mssecsvr.exe PID 4596 wrote to memory of 4468 4596 rundll32.exe mssecsvr.exe PID 4596 wrote to memory of 4468 4596 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5fd7c5847a979da93eccc83311c7d20c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5fd7c5847a979da93eccc83311c7d20c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4468
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3760
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5235d6e4709cc75228765c5a8f323988b
SHA1c804979d4dfc5d95e2fbba1aeb5049ee9f0ba9b8
SHA2567501bfd06cd17850f4d2676b8254c48bef85526b810ec80d9e09bd665e76df61
SHA512e077d4a52e718554802ffc208f14d5efa638942623a9461b5776eef44c625be465f283a2819840c4d427f20061e1d1e744632d890e77065537598d89bb91af03