Analysis
-
max time kernel
151s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 15:01
Static task
static1
Behavioral task
behavioral1
Sample
133c62605d9a83623fd22c747918b32a_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
133c62605d9a83623fd22c747918b32a_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
133c62605d9a83623fd22c747918b32a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
133c62605d9a83623fd22c747918b32a
-
SHA1
5bb51269d20b3854db6d947d978808d13a33a9aa
-
SHA256
c25c8e2d44c64baea75f8fc5758cbe82a88c5197242380b3f4cfbc65ef565654
-
SHA512
0f13cb6afc6d34c1649b61ffdd9e3cee675ae41102f9e764117e4fe09a17d5b5febb05db4dd7886e7f3787c8b072b3de97d743b69acd9b8c8297b3ca3d036a92
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdZB:SnAQqMSPbcBVQej/1I
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3062) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3216 mssecsvc.exe 2428 mssecsvc.exe 3800 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3256 wrote to memory of 1640 3256 rundll32.exe rundll32.exe PID 3256 wrote to memory of 1640 3256 rundll32.exe rundll32.exe PID 3256 wrote to memory of 1640 3256 rundll32.exe rundll32.exe PID 1640 wrote to memory of 3216 1640 rundll32.exe mssecsvc.exe PID 1640 wrote to memory of 3216 1640 rundll32.exe mssecsvc.exe PID 1640 wrote to memory of 3216 1640 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\133c62605d9a83623fd22c747918b32a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\133c62605d9a83623fd22c747918b32a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3216 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3800
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2428
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:4744
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55c4cbb156deeaf7d896a9426f2818406
SHA17a0e16ae16038c1d362e1ec4a36e24eb7621a21c
SHA256878bb4650dd88473e1abe6d8be0d30d96bd577c13ea629f8b09f48d97649d48c
SHA512ebfd7c59b4ffffb645bce72b9db70099c78b9a3b64bc78fd971d08ba8ef22d43d5418a1bf1637834ac8aa020fe1aae5361a8307625c272e76a06f3786e7f98a9
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5d185ec4dada36619bdfcf3d936d77f04
SHA173ba315952a304b6b58a0e1456450a6e8a9e1901
SHA25622c5f71bb6046d44b3a9bf90bd46e5115e9eb67076a33692811b786f3ab8e418
SHA512ca5ff6924780829565daf83639a440cf779dd73a69b906ca3adb1eecae7f2bf797eeb9b9a3cc7c15efbaa5dcf6c25aa05ef432139992e909076efd544bef4e31