Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
30-05-2024 11:21
Static task
static1
Behavioral task
behavioral1
Sample
840d481def0fe53c5cbc67ec8e4a1641_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
840d481def0fe53c5cbc67ec8e4a1641_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
840d481def0fe53c5cbc67ec8e4a1641_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
840d481def0fe53c5cbc67ec8e4a1641
-
SHA1
760dfb092ada4f6088d75c6ff24b1ded25a71e87
-
SHA256
b5ead8b0f1b16e949da0120d08e2317be002dc4fcc3767d7620276814d4b38b5
-
SHA512
2fff2ad38d84136a4bb445552f6bbc7582fe23f19f5c0425bb2b9b84b1a303e522d36b2a5153d07f375231134765adf4ea78d52ca53b26222399a3351f4250da
-
SSDEEP
49152:znAQqMSPbcBVyINRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEau3:TDqPoBsaRxcSUDk36SAEdhvxWa9P593
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3065) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1612 mssecsvc.exe 1284 mssecsvc.exe 748 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4504 wrote to memory of 2184 4504 rundll32.exe rundll32.exe PID 4504 wrote to memory of 2184 4504 rundll32.exe rundll32.exe PID 4504 wrote to memory of 2184 4504 rundll32.exe rundll32.exe PID 2184 wrote to memory of 1612 2184 rundll32.exe mssecsvc.exe PID 2184 wrote to memory of 1612 2184 rundll32.exe mssecsvc.exe PID 2184 wrote to memory of 1612 2184 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\840d481def0fe53c5cbc67ec8e4a1641_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\840d481def0fe53c5cbc67ec8e4a1641_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1612 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:748
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1284
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5be3f23eb348025da14f5b09c0b4f69a9
SHA12c854208447a176d5c662466b6164c08106c7e65
SHA2565d24a9562cf938e0ebc25ed77165499d578fa05d92e1d44be429c656b0b97b19
SHA5126e8d564e4496fa7f272dde88996f8a00a6ecd9afd10c09029fae8dab745809fe637ee27f0a3ef7ff1f3137eeed8945cbf5e2e142b87af8cc2c0d97af953befa2
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD52365b3b1700a71b9c952ca54d7e08122
SHA1b5484fc668aed29e98d025928ff0848177216921
SHA2568e3171a391430e4efc2fda4f7feac3e118da00d08e415368bb0d0c487d676510
SHA51254518f9aa58a8b7795d9e883f7bd3e0adc41e2756e7cbda92a920ac85d84e478a280ee1c2c5e96277a5e0e2c406c45985af9a80874bfd1503515e58601e02fc7