Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 20:01
Static task
static1
Behavioral task
behavioral1
Sample
513d519a1542b8ae4c25cc02cff2d2e3_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
513d519a1542b8ae4c25cc02cff2d2e3_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
513d519a1542b8ae4c25cc02cff2d2e3_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
513d519a1542b8ae4c25cc02cff2d2e3
-
SHA1
5bf8da7dfc2fd5b756a59ee7325ec2ab45e6cc2d
-
SHA256
c687a8a161b7722282c35d4413b14ba454001a509850a64cd35050481a8cf60f
-
SHA512
1740e4ed73d61682e0fba185d045fa25c5ffee45b37177bf00292e1168d09c9964f14f86f49475f1b7fe125de23524334ea9d7ba2b96585470166c48aa4e9d44
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R:TDqPe1Cxcxk3ZAEUadzR
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3373) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1832 mssecsvc.exe 5020 mssecsvc.exe 4900 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 728 wrote to memory of 1492 728 rundll32.exe rundll32.exe PID 728 wrote to memory of 1492 728 rundll32.exe rundll32.exe PID 728 wrote to memory of 1492 728 rundll32.exe rundll32.exe PID 1492 wrote to memory of 1832 1492 rundll32.exe mssecsvc.exe PID 1492 wrote to memory of 1832 1492 rundll32.exe mssecsvc.exe PID 1492 wrote to memory of 1832 1492 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\513d519a1542b8ae4c25cc02cff2d2e3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\513d519a1542b8ae4c25cc02cff2d2e3_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1832 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4900
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5020
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4572,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4168 /prefetch:81⤵PID:1792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD53ebdc37021a17453b25a109c998b822b
SHA1b1b8c3ad91b7426edd5770b07852ad80d2e299ed
SHA256069188530be4866f8a5f481fa8868700f63fcb23dc7a3fe81792190b22e50c77
SHA512f821872ec93f4ec8247c523b8e65ebcd0ca5645cba0193e0c18d618b246e4badfa34eff827ab949a493a44c23058eb6797e09670b5785ad593f9954ca078afdb
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD58d3175901b880895e04969f34a94db7e
SHA17ba2e3860d6cb17c4bb728d8c0c366ebca5c1953
SHA2565f23927337366102bc0ce281f8c9dbe04afc0615fbe48674a3c6c6463c054762
SHA51276f777081f5cb57c657e4bc647e6e651b907a849620f3377b0805f73a06fc9c08c4ff84d032436bd0edcbadc9ed324132dd26694e6976e09da32c924be09e8ee