Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 05:26
Static task
static1
Behavioral task
behavioral1
Sample
662718b21bdf61122692c3c5da90f48a_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
662718b21bdf61122692c3c5da90f48a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
662718b21bdf61122692c3c5da90f48a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
662718b21bdf61122692c3c5da90f48a
-
SHA1
7942ab3ba18bb927bbb1d867e5d33dc88c16cad4
-
SHA256
8fc37766c6b437ef8f007dda6ad2023f3c50a45290442b0abe00d1682eabc174
-
SHA512
d7e00bbbf641375adda9deee4a08ccd7f2d68c9d8a5c202657d34d8ed5133f84990c98df6fb24e57893c83ff8cb622128c672df35162ac2f88947885fdc053af
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAR:+DqPoBhz1aRxcSUDk36SAE
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3369) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4576 mssecsvc.exe 768 mssecsvc.exe 4008 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3368 wrote to memory of 4052 3368 rundll32.exe rundll32.exe PID 3368 wrote to memory of 4052 3368 rundll32.exe rundll32.exe PID 3368 wrote to memory of 4052 3368 rundll32.exe rundll32.exe PID 4052 wrote to memory of 4576 4052 rundll32.exe mssecsvc.exe PID 4052 wrote to memory of 4576 4052 rundll32.exe mssecsvc.exe PID 4052 wrote to memory of 4576 4052 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\662718b21bdf61122692c3c5da90f48a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\662718b21bdf61122692c3c5da90f48a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3148,i,1697479186275492802,18058102846092193784,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e287d484beb2d316752752fa77568ea4
SHA18f3e23265db7635e369fb262ae37cbd52301c0fb
SHA2569645a834491bb864d1c5d89453202960a03aed946a9998ee0c89a251ba683eab
SHA512ff0eaa6c161111ab98487c84dc0a12d7068febc44987d03163e6dbfa50e84e27fea1413904787518d8f1d593d3843d4a7efddee307a839ed926be0dca45dec2b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b4dc894fe688f15b1b27a226e794c396
SHA1f0d2bfb3c12e5efe9af0205af2b3e0ad147540fa
SHA256149d329238b3791ea6734016c0ccba29eec0267625f1062653edfc1975d4062d
SHA5122caf09576ceb2cad251e6cdf8651d227a06a9e43f63066adeb501eca14d56ffccbcfcd89a5d5714d33243274d16eb4e89e8e45638f9c9c9991f7e7517bd155e7