Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 23:31
Static task
static1
Behavioral task
behavioral1
Sample
371d6bbd724de01a9a2360eb231f0381_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
371d6bbd724de01a9a2360eb231f0381_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
371d6bbd724de01a9a2360eb231f0381_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
371d6bbd724de01a9a2360eb231f0381
-
SHA1
193af11586a776674d202d1964bcc84dd514d967
-
SHA256
3713c9324fe597da1baeb94ed3d29d37654a4f332dd0b90132de7dc9a7340015
-
SHA512
d71a9962053407786920ac8c4830456786fe7eb6c5a8b91470352469042f29c50ef40dd0421140e9013927364aa6e0c7185583379fbcf6f477b2e9819d2b76dc
-
SSDEEP
49152:JnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:dDqPoBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2879) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 228 mssecsvc.exe 4604 mssecsvc.exe 4692 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1496 wrote to memory of 1596 1496 rundll32.exe rundll32.exe PID 1496 wrote to memory of 1596 1496 rundll32.exe rundll32.exe PID 1496 wrote to memory of 1596 1496 rundll32.exe rundll32.exe PID 1596 wrote to memory of 228 1596 rundll32.exe mssecsvc.exe PID 1596 wrote to memory of 228 1596 rundll32.exe mssecsvc.exe PID 1596 wrote to memory of 228 1596 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\371d6bbd724de01a9a2360eb231f0381_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\371d6bbd724de01a9a2360eb231f0381_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:228 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4692
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4604
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:81⤵PID:3288
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55cc0a9c1e6cfbe42be5bc924f527cebc
SHA1409b82d64243cc8047777a3d3acb275c1e18430c
SHA25693dfe81c06b6b4b8e85c4c0743d27b1614df743c883f8b281d4919195c108cb3
SHA5127a1bb0dc759530a616324415fecd410c4121cc31da89e002dabb1b3f6e2009f1da602e59ed692dd469906b48981b7401bd4c8ec7426a8b41995bcb6243b2e6e6
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b4349fb0b243bf4bdc8285e0598b74c3
SHA147dc524381e96678a7ed255f9d21bb4d499bfff9
SHA256d7fe6cd6f8f9079ce3189b5ba55ac78c7877e07da32733f63ffb1e94338de133
SHA5128dd48ef20a07b75032bb6ef2188447684e95688571624adcf216151112d563dfc0ac820699fba8f7e9d35eba01abf59affd0114a198c37b6c6d9478c87e6cfe0