Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 13:22
Static task
static1
Behavioral task
behavioral1
Sample
5f4c3473fd212376548903295eb8a4e2_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5f4c3473fd212376548903295eb8a4e2_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
5f4c3473fd212376548903295eb8a4e2_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5f4c3473fd212376548903295eb8a4e2
-
SHA1
cb41c7d8e759feed8d8752d01c447d20f486369e
-
SHA256
5dc870dcb3aa373a6d019fc664ac9301a47d38747494e1926ab7830c57136b1a
-
SHA512
127d9582d805fe3cd82a03fdeb2f032fb2a2a5e53d8d7c9744908e64db0db890d7914a34526036818b76d64a86979feb5dbb857f6687b61acb824ac8fa5d7f97
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yA:+DqPe1Cxcxk3ZAEUadzR8y
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3069) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3408 mssecsvc.exe 3120 mssecsvc.exe 4048 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 792 wrote to memory of 2260 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 2260 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 2260 792 rundll32.exe rundll32.exe PID 2260 wrote to memory of 3408 2260 rundll32.exe mssecsvc.exe PID 2260 wrote to memory of 3408 2260 rundll32.exe mssecsvc.exe PID 2260 wrote to memory of 3408 2260 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f4c3473fd212376548903295eb8a4e2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f4c3473fd212376548903295eb8a4e2_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3408 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4048
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1412 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵PID:2376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD51e49ec3322261d919e0070973b634f0f
SHA14cc76abc0a88952478c079dd0d2e0b33a32b82ea
SHA25697eda67ce9c099ec7782170d6aed3103e87d23778adab79bf8cfdd52c3d0d965
SHA512b3e01e2e2a38e93eebfdfc24240751e3ba650ee0715ee1fe586acee77d6e31dd9a3821875c4e61647d016650145b189ced3e753e0828856d12a8bd991084a9ed
-
Filesize
3.4MB
MD5e1caa5bc7400f440ab84f95df6569fdf
SHA15e0a8b91fb4d62b596cc7b94e69c61514af3457a
SHA2569179b360e2a699779a60f4c4a76868a17c3556b510016f94190e3145615edd33
SHA512128163b5ac10fa5cda1cc24b1a48b4eb7a8141f574fc1227ce569e4b89a90b3e2104a7194a31acf280db36945d01e8d2444a1b52c54753a5fd3a5432ce760320