Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 18:24
Static task
static1
Behavioral task
behavioral1
Sample
427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
427c26ece5cc58787ae133d0c45b6cc8
-
SHA1
20ef4eb221b550905e6b7c04a0ae9e80c25e4546
-
SHA256
2dfd4a11135512683f97ec40fb26bdb121bd5b27644b7d925b7e17aa75bac407
-
SHA512
84585c3e1ba8c64e6b6f5b4d690215aeb61d4d9adc08a34fefae962677d611abde4173fb8d3665e1b58789b76fed9bd25468264f6fc4000c8356e51944085857
-
SSDEEP
49152:SnAQJGx+TSqTdX1HkQo6SAASxJM0H9PAMEcaEau3R8yAH1plAH:+DwxcSUDk36SA7xWa9P593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2221) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4716 mssecsvc.exe 4944 mssecsvc.exe 3992 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3108 wrote to memory of 3928 3108 rundll32.exe rundll32.exe PID 3108 wrote to memory of 3928 3108 rundll32.exe rundll32.exe PID 3108 wrote to memory of 3928 3108 rundll32.exe rundll32.exe PID 3928 wrote to memory of 4716 3928 rundll32.exe mssecsvc.exe PID 3928 wrote to memory of 4716 3928 rundll32.exe mssecsvc.exe PID 3928 wrote to memory of 4716 3928 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4716 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3992
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:81⤵PID:4656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57b43d71dbfb4dc8eba0e3e2a010c5a31
SHA1ebaca15297aa0a266c5ebf7f22f08891dc83903d
SHA256133c67eb527809b01c5977c560949ec03c3fb5b87c8ed4bcd38c580c8bfdbd10
SHA512dbff1d2971ffd81f1a3635b8dd6cbbc0543c4f0215f620bbdff04bbf984bf512a9891e177c14f19e5294455b25b1ca8548d532bd47971fb5eb578603ecc91349
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5aa7f6c30c24531e82018968e7aaf8138
SHA11d0723bcd706cbc0ba7b4111b4d18d549ad7a8f7
SHA256dc3fe9a318d69f41e20f378fbd3368b8b7ce30cf1fa17f8d8318612acd24c80c
SHA5122a267267bfa44f74cda7e5f58d1c994381b290ac9c0a46ea8276f60db042fb50f7ba32352478910493a4318b2e8436e9468627d2704921a1203079d3fffce0c1