Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-05-2024 15:10
Static task
static1
Behavioral task
behavioral1
Sample
75e24aea15162245448361892ea979d7_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
75e24aea15162245448361892ea979d7_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
75e24aea15162245448361892ea979d7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
75e24aea15162245448361892ea979d7
-
SHA1
eb45e80dab5f0a686701cb97ea3bbece94f467db
-
SHA256
22f08fa4efaf2bd2d87ca337d1b5641519725640f40d190fdcd3875e3b95e999
-
SHA512
1bedbf28adb48e5fdadf5d8635c61462edfd716ba9a9b6ce1227daa280d365ab48510024557f54282891b2e8523f600c5a1fead6cbf78e3269e97e865b337a1c
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:TDqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2228 mssecsvc.exe 3412 mssecsvc.exe 4588 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 744 wrote to memory of 4888 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 4888 744 rundll32.exe rundll32.exe PID 744 wrote to memory of 4888 744 rundll32.exe rundll32.exe PID 4888 wrote to memory of 2228 4888 rundll32.exe mssecsvc.exe PID 4888 wrote to memory of 2228 4888 rundll32.exe mssecsvc.exe PID 4888 wrote to memory of 2228 4888 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\75e24aea15162245448361892ea979d7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:744 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\75e24aea15162245448361892ea979d7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2228 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4588
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3412
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4372,i,6576818814118437872,11004518367271063231,262144 --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:81⤵PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD54dcd1a0e69737b7dabfc674939128b3b
SHA16b52a9657275749f0bb9aaff087d9e21775f6852
SHA256a5ba3219efbbf382fb4fc972549afbd7d721c4b49b4af92b8a767ec23de26a38
SHA512bc4a882c520e5b2aa9c0a91b917e9aa13a1a58e9667ba37030428df0296d3e863e431d8241fc59079b8395e748769e366a68fbada74c1107495ddacb8a9dcbfc
-
Filesize
3.4MB
MD552b3e549e037de9a3109704ccd4aaa72
SHA1f382881b2e454977b4fd4686834866350ef66b94
SHA256d6361700e59b6339ed38270a4970b512f08f1f9dc8819e03d5b7bded7f1d5714
SHA5127a232b012b314124a743dd8569a5a5970b4d6bfc0445fd12d74bc203135bd8a8d5f5daf0ce30602825da3a87e77e57192309eefcf96fda6a7439ae6806eba948