Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 10:07
Static task
static1
Behavioral task
behavioral1
Sample
172cae5741578845025b9875ecda958d_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
172cae5741578845025b9875ecda958d_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
172cae5741578845025b9875ecda958d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
172cae5741578845025b9875ecda958d
-
SHA1
08ac3a671857efdd436ffa038b205d2ac0b830ee
-
SHA256
768e7c17c3c95e8fdbfe517fd34763aff6a49c730c775af65414a691585d1b30
-
SHA512
9e8c01ad064acecfdb1e56200e1a016ef0b6f548d69d0de68b270a5fc7adf21cdfb840d06884e6070d9393e83ac05b5d5729217e7e3711293caab302ec0639e4
-
SSDEEP
98304:TDqPz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPz1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3127) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2748 mssecsvc.exe 2296 mssecsvc.exe 3968 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3104 wrote to memory of 2208 3104 rundll32.exe rundll32.exe PID 3104 wrote to memory of 2208 3104 rundll32.exe rundll32.exe PID 3104 wrote to memory of 2208 3104 rundll32.exe rundll32.exe PID 2208 wrote to memory of 2748 2208 rundll32.exe mssecsvc.exe PID 2208 wrote to memory of 2748 2208 rundll32.exe mssecsvc.exe PID 2208 wrote to memory of 2748 2208 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\172cae5741578845025b9875ecda958d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\172cae5741578845025b9875ecda958d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2748 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3968
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2296
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3536 --field-trial-handle=2304,i,6987730730348465820,3913273227385401271,262144 --variations-seed-version /prefetch:81⤵PID:3240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5af8b2a8701a6ade0c8113988e45b4e6c
SHA1e3e01397f5f3d2d58a86c60954fb06893138aed8
SHA2561a5281967e3fd163b3260393201736910efd8aa683e364aa7a327e7db52f29d6
SHA512bff785d9282c458f5b6825d3ee15c1b98c0b39d9d38f8311a40ef532472f638adb53a274ed08570e9ae7eaa411a41f8c100e0c5814ae2a0c1575d92403458e5c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD59de4abd28019e64c49e745dbb210fea4
SHA19f7c19802b737b860f25c69c993066729ff894ce
SHA25618c2c5c6962e53029137d4f20d46ce2b69ce3a2750a3262d9f78578daf64c2fb
SHA512167f2a0b811d03ffb286191f4438baeb7ca09a26f2f93bd75f07937c487e66d9422e695f58c34530938cf8e2f5c51c82c183aa685c84ab90617590db840ebb5a