Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 16:49
Static task
static1
Behavioral task
behavioral1
Sample
359489bee79016a277b8f51b0a181a04_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
359489bee79016a277b8f51b0a181a04_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
359489bee79016a277b8f51b0a181a04_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
359489bee79016a277b8f51b0a181a04
-
SHA1
f18d53d62bd048214bd1ff601239a4132cc67883
-
SHA256
f0459f64c92eb91fc582f8c7923ff71e15d9b2dbe5c95c40ced4d6d01e153c9a
-
SHA512
522e5108f826320c864a1dc9d9351e095f942cebc5d1a41f769bdb76ef89e8157513147d66cd697b0fcd639ba59f5ea2db1c14600de0c7cfdb4b829160e803e3
-
SSDEEP
49152:znAQqMSPbcBVQej/1xxJM0H9PAMEcaEau3R8x:TDqPoBhz1xxWa9P593R8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2970) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3308 mssecsvc.exe 848 mssecsvc.exe 1052 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4616 wrote to memory of 2156 4616 rundll32.exe rundll32.exe PID 4616 wrote to memory of 2156 4616 rundll32.exe rundll32.exe PID 4616 wrote to memory of 2156 4616 rundll32.exe rundll32.exe PID 2156 wrote to memory of 3308 2156 rundll32.exe mssecsvc.exe PID 2156 wrote to memory of 3308 2156 rundll32.exe mssecsvc.exe PID 2156 wrote to memory of 3308 2156 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\359489bee79016a277b8f51b0a181a04_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4616 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\359489bee79016a277b8f51b0a181a04_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3308 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1052
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:848
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4340 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:3092
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5355fb63fcbc1dd791da9ede44c50d8de
SHA13b6a91f8d576378a76f191ce38b4c89466ca6105
SHA256fed117b7a88977d6daf3fe660ddb6ab235e89965ececf7838b7a7e382aafc02c
SHA512a1f36e462b3a0ede0c95d5c73d5db66f5a82414f48da3694f1698c3767886ddadba86d902af91c61bd90325e116b858f6c3544808befbc07572d80a55c288417
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5add02fc7dc23ea36f5c41784e17ed6c4
SHA17faf9e9a8806f9f449a353a79a35a0d380e4fb1f
SHA2566580e1b662e9dd9f43142226be19ea39c8952cbbd2bd0c749c12b3afea6fe8af
SHA51226428bce4b69ce7947bd2cf4ca1260a8aad659241c6c1736d00d9f5ab366a099c1858838cd63775744336e82f89162efe5799ca62abdaac3cbe261cae8b4e170