Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
2822247ae20305e9fef73497b61faf7c_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2822247ae20305e9fef73497b61faf7c_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
2822247ae20305e9fef73497b61faf7c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2822247ae20305e9fef73497b61faf7c
-
SHA1
88f31096f6ca717d0d8e359cdf6f23f022027f74
-
SHA256
153929445ac39d8a8c9282d2117490af0a0e59acc5ba028d468f2c7cbaf87774
-
SHA512
97e1f6f7a5e77365f5c071f2245f000baee54bad6c01300cc587234034052520597e41cadd759287591411814447b1ef6dbeca783b63bf8f8bb0ecc26747caed
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9vyAVp2H:+DqPe1Cxcxk3ZAEUalyc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3024) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4776 mssecsvc.exe 4576 mssecsvc.exe 1292 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 440 wrote to memory of 4840 440 rundll32.exe rundll32.exe PID 440 wrote to memory of 4840 440 rundll32.exe rundll32.exe PID 440 wrote to memory of 4840 440 rundll32.exe rundll32.exe PID 4840 wrote to memory of 4776 4840 rundll32.exe mssecsvc.exe PID 4840 wrote to memory of 4776 4840 rundll32.exe mssecsvc.exe PID 4840 wrote to memory of 4776 4840 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2822247ae20305e9fef73497b61faf7c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2822247ae20305e9fef73497b61faf7c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4776 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1292
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4576
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:81⤵PID:1252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD51a9da360084e5fe33cc8b7b01048386d
SHA157e10d009b4df796682803e6a026d70d418790da
SHA256cb3e98be30579f7287ecb4a703a5defdd4035861d1c90e49f173fe037b728c5f
SHA51277cf7339672e73d18e5ac36f20809edf0604e9406037fcb0be6e78fe2fd1995c96009edd4d443f744f1af3c0ce295a56614659ebe69bf97783fe1d0bf1bb7c7b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53854d17d30461c44c283d2e087d97723
SHA108dd80b6a4f8df08f4fd83d9304a515a68f40a8b
SHA2560e84529bcb4899c94283f1698b7babd016fe26f3d0449f448bc5d32e78b55be8
SHA51263c8a702ab3b4242c1d5ef9de3ae994e5dfd0e225b483fcff52481b34a04374056ed3db695ca3574ec56f20c605b7e7ccc40ea273d460da99cc72f8b09267484