Analysis
-
max time kernel
152s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 16:33
Static task
static1
Behavioral task
behavioral1
Sample
2adf3df26c4c3f88f288958bfaf9710d_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2adf3df26c4c3f88f288958bfaf9710d_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
2adf3df26c4c3f88f288958bfaf9710d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2adf3df26c4c3f88f288958bfaf9710d
-
SHA1
87ac0d58aec16889ba26ecd143f7cc25dde5b8b4
-
SHA256
e4de2bcdd89334ece46ef04becd538e177de2591abea682a7e7cb8edb967b026
-
SHA512
bf1c385fa0ca4602ea53ed8b17fb976b23001567ad818a3dc83dbaa7ac3652029e5f541fcc91784e87e7fa02cf73b66b8e5ae99010e057f8eface8514bf0724a
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R:TDqPe1Cxcxk3ZAEUadzR
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2708) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1284 mssecsvc.exe 228 mssecsvc.exe 4276 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1964 wrote to memory of 1076 1964 rundll32.exe rundll32.exe PID 1964 wrote to memory of 1076 1964 rundll32.exe rundll32.exe PID 1964 wrote to memory of 1076 1964 rundll32.exe rundll32.exe PID 1076 wrote to memory of 1284 1076 rundll32.exe mssecsvc.exe PID 1076 wrote to memory of 1284 1076 rundll32.exe mssecsvc.exe PID 1076 wrote to memory of 1284 1076 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2adf3df26c4c3f88f288958bfaf9710d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2adf3df26c4c3f88f288958bfaf9710d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1284 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4276
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:228
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:1368
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5069ea687378fc92fe2e6c3860a151fbc
SHA179fe3b5bff6041adcff16339b3974eff4d8125d3
SHA2569cf90d4a25d502433029c2e23e0c9681be623e191eaa249717183a9f2582b863
SHA512b4724f8a47ba0c2c6eaa56e55ab7b94d16291c1f9ee47adecaeb22d90f3b4ee7b50d007ce1beb9c746b5278e7060cfa9736260ac568dd50ea162d9e68a35a187
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD54e3fa0284f0e97a0ba2864336c379387
SHA19e295cef404a6bc978f38ace5bd5530483acb382
SHA256a0281ff1352d0668c4d8dda720bb53c13e34d73fa11c405183ac7dc7b04472de
SHA5122abac2bf06776836a024153616be4edde903684a143f363e603a8d99b11919733ea750e5cdb80fe06742e9f3b4d55f7301cc882a57837a908bc2ff2baf169e55