Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 01:17
Static task
static1
Behavioral task
behavioral1
Sample
52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
52273974a0123165fa8fbd867fa6dce5
-
SHA1
35f1258534d55dd40ad036af00a7b82cb692843d
-
SHA256
022c9efcf232fdfabcfba1423deb8ade3a49ae6480bddd4d58b4ca712e2ebd02
-
SHA512
389091e8ebbbbeb2709bed52ee3cbb7149a8f4f283c49cbf35ccbc93437f3472a4c272ab401ca3f22eadcfce067bfde179a1be1a9dbf07aa6c8ea53506ca9744
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIwQ2bYy:SnAQqMSPbcBVQej/
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2864) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4964 mssecsvc.exe 2240 mssecsvc.exe 2028 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString POWERPNT.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
POWERPNT.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily POWERPNT.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU POWERPNT.EXE -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
POWERPNT.EXEpid process 3636 POWERPNT.EXE -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
POWERPNT.EXEpid process 3636 POWERPNT.EXE 3636 POWERPNT.EXE 3636 POWERPNT.EXE 3636 POWERPNT.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4736 wrote to memory of 3120 4736 rundll32.exe rundll32.exe PID 4736 wrote to memory of 3120 4736 rundll32.exe rundll32.exe PID 4736 wrote to memory of 3120 4736 rundll32.exe rundll32.exe PID 3120 wrote to memory of 4964 3120 rundll32.exe mssecsvc.exe PID 3120 wrote to memory of 4964 3120 rundll32.exe mssecsvc.exe PID 3120 wrote to memory of 4964 3120 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3120 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4964 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2028
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2240
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /n "C:\Users\Admin\Desktop\UnprotectRegister.potm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54baf69383a9fc1b6da854b63272e300f
SHA108ea3eb52583c2fd25ee7dc6a19ef5fa6c199138
SHA25604910bfe3dab5e3d912b28c4c94614d9b826bb261dbe5135e3cca5f854624221
SHA51213f6995db6ddb62f3731105af44cf500daff1f365324c45ce24da2d9026f853db57ca2a9e3a1f29e5c87c9f2655a4b6a6f6b5f761e93b1f541b4752559cd9278
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c5df4ec60f1f3a939577111217672171
SHA10eee00b69479940e562650d8fa31f7e89678152f
SHA2568ff377030e6bc316de9d062090a780542d7512ca4debc1e21c78f5a4720b7d2f
SHA5122f9d784fde6ff56cbc2c1e355c7a2288d34722b0f8adbe9c50ddebb4cb0380f926323f83222f8182c101d2190a7aff7f9f0f67c96ce00a20a9e7c8af9248c0f5
-
memory/3636-8-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmpFilesize
64KB
-
memory/3636-10-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmpFilesize
64KB
-
memory/3636-9-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmpFilesize
64KB
-
memory/3636-11-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmpFilesize
64KB
-
memory/3636-12-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmpFilesize
64KB
-
memory/3636-13-0x00007FFA48DD0000-0x00007FFA48DE0000-memory.dmpFilesize
64KB
-
memory/3636-14-0x00007FFA48DD0000-0x00007FFA48DE0000-memory.dmpFilesize
64KB
-
memory/3636-37-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmpFilesize
64KB
-
memory/3636-38-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmpFilesize
64KB
-
memory/3636-40-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmpFilesize
64KB
-
memory/3636-39-0x00007FFA4B0D0000-0x00007FFA4B0E0000-memory.dmpFilesize
64KB