Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2024 07:54
Static task
static1
Behavioral task
behavioral1
Sample
1b812b0051e0cef2acc712d50f7e4a51_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1b812b0051e0cef2acc712d50f7e4a51_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
1b812b0051e0cef2acc712d50f7e4a51_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
1b812b0051e0cef2acc712d50f7e4a51
-
SHA1
aeac55264a3d590fda9a049d1967d3ae3a24c4af
-
SHA256
7bdbbd2abd90aaf93b613b67f261b8903bfb2f090a429d825fd688ea2f577bc0
-
SHA512
d2bcc1f66f0648bdf4b33168292bf8571d2a0de28fa6ccb8192a8397ab5816b919e884f7324224e0e95f7f836096d528922326f00df13069d4e9646f0ac3093f
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2997) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2364 mssecsvc.exe 2740 mssecsvc.exe 3260 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3968 wrote to memory of 2296 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 2296 3968 rundll32.exe rundll32.exe PID 3968 wrote to memory of 2296 3968 rundll32.exe rundll32.exe PID 2296 wrote to memory of 2364 2296 rundll32.exe mssecsvc.exe PID 2296 wrote to memory of 2364 2296 rundll32.exe mssecsvc.exe PID 2296 wrote to memory of 2364 2296 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1b812b0051e0cef2acc712d50f7e4a51_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1b812b0051e0cef2acc712d50f7e4a51_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2364 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3260
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2740
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2268 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:81⤵PID:948
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5ca64dda04213e36c0a863746289ec212
SHA1e252e7f48fea152780bd7256b560e48ad87ba4a9
SHA256e16c3a88ae9175bacccc4bc7c9e8f6e38e1226e37d1430d4205b2af50b02e655
SHA5120ed99968f426d2b5348364f041d56fd6652aaf48e097996f966a09b7940a0eadb7e81720bb97f5ea6c8ff25b140712f3da734a4125b90080112c9ca67bab103f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5822cfb2f15998786df89a33e716cbdef
SHA1c9d007274bfd628c164074a1fc2b35ae84293691
SHA25644311ce86114f8b11bea2fda93707000e951fdd54df1d575b69c0acff0192b52
SHA51217408de0c6692557c3d280625f9aed3401adb10a4735c91900df163be4b33d6c3c6c2527905fb090a3bed15424b1fc564790c1e311966c56cd321be03c4b4d29