Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 04:07
Static task
static1
Behavioral task
behavioral1
Sample
85ee37ea174b466e6a55c36e7e5104a4_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
85ee37ea174b466e6a55c36e7e5104a4_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
85ee37ea174b466e6a55c36e7e5104a4_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
85ee37ea174b466e6a55c36e7e5104a4
-
SHA1
2ca84a45c50c6664ee928eeb3a3cfc6bdf954226
-
SHA256
0c3056c18e3201b7963d4a9e9fe1560271562095f5ea43245a38bdbc38f3cdc7
-
SHA512
db3487b1b482908de15391bcbae0389729b4dae16f53d7e538643b860b66d8b7e963478992fe791004ba5987121dc13df62b47eebfd2192f185dcbab277465a1
-
SSDEEP
98304:+DqPoBhz13RxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1hxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3177) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4456 mssecsvc.exe 8 mssecsvc.exe 5084 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5052 wrote to memory of 1828 5052 rundll32.exe rundll32.exe PID 5052 wrote to memory of 1828 5052 rundll32.exe rundll32.exe PID 5052 wrote to memory of 1828 5052 rundll32.exe rundll32.exe PID 1828 wrote to memory of 4456 1828 rundll32.exe mssecsvc.exe PID 1828 wrote to memory of 4456 1828 rundll32.exe mssecsvc.exe PID 1828 wrote to memory of 4456 1828 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85ee37ea174b466e6a55c36e7e5104a4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85ee37ea174b466e6a55c36e7e5104a4_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4456 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:5084
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:8
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4356,i,15142778360084620907,1763097090506261076,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:81⤵PID:1912
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\WINDOWS\mssecsvc.exeFilesize
3.6MB
MD55433df247f251572a8ce800369692d55
SHA1d731ac55b841044b41edc21f95e671494f56a1bd
SHA2569539c79cbc93bd3c8d47bb28e5559dd659578efdd68d23b5a532253789b94780
SHA512ca9b4feaca57a9b3d079fee12323936c98d705753a642e96691c7873c3fbade7ec3591aa822f7a5f05b7c696f9f481ab45d18f82ed7da8cfea12ec5abb203c5b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53bacffc806936ef8a8a9c960b49acc32
SHA15489a7cd1dafd8ef73e7d79fe14bf2f3abb85205
SHA256f70cef584695bc233c392b39fe252cac5a44158940dc330db98ec9c6426fa5e1
SHA5129d80fe87cdd24641bd33a22609010072b8dd3608b3180ffc82c0179253da04bebebfeefe49b9983ec2be17e82ec3f9637fb2dfc13b2ec250c7747cb68db2d633