Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 17:50
Static task
static1
Behavioral task
behavioral1
Sample
5aaa734ecd61d2a8faf15c843cd86709_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5aaa734ecd61d2a8faf15c843cd86709_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5aaa734ecd61d2a8faf15c843cd86709_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5aaa734ecd61d2a8faf15c843cd86709
-
SHA1
5f796929bc7301c15c7e80b6ad232c8076c99de1
-
SHA256
d7a72ff750c8efe9e3e5fb8fddd60c250b3cab76118ac835ea306e1e9f830412
-
SHA512
ca720bc29b066b4c29bb48047af0b97fe7275a94ad4f41a97b102383c254211481da8c8bb23c249214732896580f7c1886da0101fe7597b598c427faaf136ea9
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdd1HkQ:+DqPoBhz1aRxcSUZk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3366) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4256 mssecsvc.exe 2920 mssecsvc.exe 452 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2224 wrote to memory of 3140 2224 rundll32.exe rundll32.exe PID 2224 wrote to memory of 3140 2224 rundll32.exe rundll32.exe PID 2224 wrote to memory of 3140 2224 rundll32.exe rundll32.exe PID 3140 wrote to memory of 4256 3140 rundll32.exe mssecsvc.exe PID 3140 wrote to memory of 4256 3140 rundll32.exe mssecsvc.exe PID 3140 wrote to memory of 4256 3140 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5aaa734ecd61d2a8faf15c843cd86709_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5aaa734ecd61d2a8faf15c843cd86709_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4256 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:452
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4068,i,1809100026287847100,9768898026582633513,262144 --variations-seed-version --mojo-platform-channel-handle=4072 /prefetch:81⤵PID:1020
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5cabd09bbf6e65a38851007c1fa84b3c0
SHA16a0f1aff1e9ca5c8cceb6e385b96f2fcafd2a1f7
SHA2566e5334295a211e1ba5639c7688747397ea3dc63789dbd41c800b6daa5fc021d5
SHA512aa85a0886debbccc28251b9c900e14ead86cf94ed9e83405a5d3c207e4ec001cf66e511baf652c86e3c8570364988e925f70f35c938dda5702bc94ac8c05572c
-
Filesize
3.4MB
MD5e7777114d041dc7bb21c7dbe47d25b08
SHA10f849ab7d459137d33f6bdd001333bd7f2e255a1
SHA2569f891d4df21a14f582ef00570c3f358daafd44c1b72c30e24c3ec87ad89c9472
SHA512320b4442bda23bd96bd844d5de71a36cd21ab77cfcee9006a3f2905dffa3ca29f968a239f777b1df057bd8ac563db75e5aefd55ca8ff0c080b2780c2d34bad5f