Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 09:06
Static task
static1
Behavioral task
behavioral1
Sample
717b007a1acd713cd369a3c736fe30fb_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
717b007a1acd713cd369a3c736fe30fb_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
717b007a1acd713cd369a3c736fe30fb_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
717b007a1acd713cd369a3c736fe30fb
-
SHA1
75c47834540254dc6907a1431526bb084f70d929
-
SHA256
510203ff4298ac898aa7aaeb86463873ae176386a6f59d3782d51047b502ee60
-
SHA512
70fd6e0fb4621b84815ceb5dab1eb3bbd9a963af6613942d1fd9d26b60333f1cfbe173058cafac454e0648e91dc88e2fc72f7299248c64853cc5d70117ec5449
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+:SnAQqMSPbcBVQej/1INRx+
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3327) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 892 mssecsvc.exe 864 mssecsvc.exe 3408 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2228 wrote to memory of 2940 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2940 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2940 2228 rundll32.exe rundll32.exe PID 2940 wrote to memory of 892 2940 rundll32.exe mssecsvc.exe PID 2940 wrote to memory of 892 2940 rundll32.exe mssecsvc.exe PID 2940 wrote to memory of 892 2940 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\717b007a1acd713cd369a3c736fe30fb_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\717b007a1acd713cd369a3c736fe30fb_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4432,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD5306c59f3737f76822e995cfd2075acaa
SHA19290429aff55289bb681e230fee19dc3d7a3387c
SHA256a10ef4f3d2f81a1d38bac2bb959f541972957ac8f87601bc0df543d59a3757e7
SHA5122902cc31cf2d7328afdea6e2c768538abb55075a3a625b3025879e631ac92022848238a306ca973602423c00ca317252925362037657af6518bb6adcb9655903
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD52ba1e1fe207489a1347e5798421ac2e7
SHA16125b99205432e9d2c555cb36cb96572a881e65e
SHA256fce7b7a7832abcd02295e4d339fbe5b5d73d46bc3b577123a364d1c39e423888
SHA51209c3f03e19a51e56918c650cb2e62b1004e14d53e42bd117b2f9864abf53110c594bf139c6a84ccff1968ffb7eab875319b36b9a78f834172bd958f95fa5e494