Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 09:15
Static task
static1
Behavioral task
behavioral1
Sample
33d9881cf386853f2ffad76685b9340d_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
33d9881cf386853f2ffad76685b9340d_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
33d9881cf386853f2ffad76685b9340d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
33d9881cf386853f2ffad76685b9340d
-
SHA1
b46a85f2adfe51c43342d536f2fde4328ac6a2d6
-
SHA256
f17efd607395c546c7cd870a05f5cebf607609e051047df8ef4d8dc831b50760
-
SHA512
130904e9035884573b55cbe3c4bd2f9040ae9a20aa4d6274148153c39564c764bc3410c7e9fafd980fec2390abd960460e92ed020b1ce387869a525eb43ada8a
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3103) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4848 mssecsvc.exe 2876 mssecsvc.exe 3952 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1800 wrote to memory of 2348 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 2348 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 2348 1800 rundll32.exe rundll32.exe PID 2348 wrote to memory of 4848 2348 rundll32.exe mssecsvc.exe PID 2348 wrote to memory of 4848 2348 rundll32.exe mssecsvc.exe PID 2348 wrote to memory of 4848 2348 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33d9881cf386853f2ffad76685b9340d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33d9881cf386853f2ffad76685b9340d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4848 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3952
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2876
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:81⤵PID:4200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5effdba0b065ac5063a35e8778e6707a6
SHA11d2da67f250705d86d969da4311d0a977fdf9239
SHA25689d714fa7f3b6398e36ae8f690e70fadc14a339136bf0bf9226bca9cae79f639
SHA5127afda939ae0fed2f4b3f19ed170811ba76e3800607eea9238d07119176df39a923a50a9315e1498d9f8bd7c4e06fd4324dd91e4a552b34e3db1c09b40fc7bea8
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b19c3d16e15df9ca9773be40f2f5f3e2
SHA12d6e8d30ccfb42813d1dca14bdff463d115052ad
SHA25654e859d3814ff99b3152885ec84a1e743e8b1884a41c01a53ef480fde0b07fd7
SHA5129623e9115848a79577a6e76968321d7e348f88a7dca31760170f3276e868d606d38da2024cdb67e0d8b0c4ddacc8e916ae61c0aab931a206604f195020d6f2ec