Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 02:44
Static task
static1
Behavioral task
behavioral1
Sample
159f821b4785271df2e336f940d09da4_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
159f821b4785271df2e336f940d09da4_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
159f821b4785271df2e336f940d09da4_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
159f821b4785271df2e336f940d09da4
-
SHA1
834a060938bd5112496ecb49c61d012d7708e62d
-
SHA256
431beeaeffca82dd4e1721e029937a77b9266b4079206f0e3c945505f6ab4772
-
SHA512
9efd3ab64f4b0224e56d4a672d5f1e76d47662f8ffddb78f2246dec9e292726d4b7ab9c82c2c8bea173c64c4e796340169c8f803455f56e81929fa482f172a38
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8:SnAQqMSPbcBVQej/
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3081) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4020 mssecsvc.exe 4280 mssecsvc.exe 4432 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3540 wrote to memory of 5100 3540 rundll32.exe rundll32.exe PID 3540 wrote to memory of 5100 3540 rundll32.exe rundll32.exe PID 3540 wrote to memory of 5100 3540 rundll32.exe rundll32.exe PID 5100 wrote to memory of 4020 5100 rundll32.exe mssecsvc.exe PID 5100 wrote to memory of 4020 5100 rundll32.exe mssecsvc.exe PID 5100 wrote to memory of 4020 5100 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\159f821b4785271df2e336f940d09da4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\159f821b4785271df2e336f940d09da4_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4020 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4432
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4280
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1044 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:81⤵PID:3812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD52d5a37530a7eb94f3ff26004bc181451
SHA181f94a99b3e8c57895f9ae57aef4b463ff95b646
SHA256b1ecd912fb15a12e996499804eb725e2c2d3f185a57419d860785bf20a4d4ccc
SHA51207cb4deca73b86cd62a39581072b0cb66f90745b9904d4404d1c90fc051a6cb2115d32c787bbd132613292255c0440d6c4c87a67f17dfa41c850608956e5688f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a7b53d11d621aebb00822915fa47f52d
SHA1f94daaa54b91d27bc87ea44eb6d7384ddf601800
SHA256999c87ef2c449d5d6303b9e956ff63a324957d406944524e27a4caf119f599d5
SHA51246e33df88d6d1a03a7e336e7ffeb23610639ceac4cea5ad21a0574098d34fec840add04bf5d7551697276ba22fc4dc3d9d01e530e1c2322ae6a249cc58f6e8f6