Analysis
-
max time kernel
153s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 03:35
Static task
static1
Behavioral task
behavioral1
Sample
15cc01862af8af5540569cb247b3824e_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
15cc01862af8af5540569cb247b3824e_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
15cc01862af8af5540569cb247b3824e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
15cc01862af8af5540569cb247b3824e
-
SHA1
5c99e40e4fd8f3bce17a4e134daef3e7c4fb2e33
-
SHA256
424d3a9ccee7e2fe5cf4b714f6a5a2557c456adcb0eb49ea4dd733e8151e3eb0
-
SHA512
370bd14b91afdd1ffdd56e045897b090f6e1037e556c7c3dc6d131854056db5fe6092c68b94cc03372bd4fb681e214783b143564d2f9c4960dce2433e3213ba7
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P59jF:TDqPe1Cxcxk3ZAEUadn
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2574) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4352 mssecsvc.exe 3304 mssecsvc.exe 2896 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2748 wrote to memory of 5040 2748 rundll32.exe rundll32.exe PID 2748 wrote to memory of 5040 2748 rundll32.exe rundll32.exe PID 2748 wrote to memory of 5040 2748 rundll32.exe rundll32.exe PID 5040 wrote to memory of 4352 5040 rundll32.exe mssecsvc.exe PID 5040 wrote to memory of 4352 5040 rundll32.exe mssecsvc.exe PID 5040 wrote to memory of 4352 5040 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15cc01862af8af5540569cb247b3824e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15cc01862af8af5540569cb247b3824e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4352 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2896
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3304
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:5036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a8daee2b8c6d0b4854a9fa4ebfa2cff1
SHA12941a117e5842f2cb599d972e39ea95a41947167
SHA256f853a55c32fe0bfed0eb0b572ac977c0a78144e67bef5923f8ad0a7813cc21a2
SHA512db47e98297640f6f9d077c78fe294c4d17d08fe1f662cd7caf338f34eed0334c5c94268ef9ed70c723d586fc1483873d2252e53e455ebedf07bd1ce49c0816d7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50e7e40f6f6721d8101e1af6364cea915
SHA1c6cf47adc6838959f6be89a451683f5de6ed4615
SHA256c1b25601c63b3c6e74f19339c2e078e8b30a8459dce576ddb3334a2656027220
SHA51287177775a761efce80490eaca29339f883e85484aa808dd7816cabd4d7d9ce03af2865c5afb64ade8df69c5e2c547e026f99c0838b7b7a60ab61e63981013699