Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-06-2024 00:05
Static task
static1
Behavioral task
behavioral1
Sample
88cf794645baeff4a6d27baa67d81fd5_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
88cf794645baeff4a6d27baa67d81fd5_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
88cf794645baeff4a6d27baa67d81fd5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
88cf794645baeff4a6d27baa67d81fd5
-
SHA1
18f72c2a321dba6f5a81c67322f60b5db5715b27
-
SHA256
54b556f1e1d527b3da3276da03a23aa24ce4903465c20a8abe3682f1f1a4b554
-
SHA512
c91fa19254fa91ba22ee9ea289cba4c8323681cc660956032d8e86ffdca6c2f9a7b8c7c4a5edc5adb81c8890b7d9eb41fefced16af8f02e8bb952e64be4c92eb
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SADcwfpuv5p1otTyB:TDqPoBhz1aRxcSUDk36SAW5p1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3326) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4888 mssecsvc.exe 4476 mssecsvc.exe 3940 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4856 wrote to memory of 4552 4856 rundll32.exe rundll32.exe PID 4856 wrote to memory of 4552 4856 rundll32.exe rundll32.exe PID 4856 wrote to memory of 4552 4856 rundll32.exe rundll32.exe PID 4552 wrote to memory of 4888 4552 rundll32.exe mssecsvc.exe PID 4552 wrote to memory of 4888 4552 rundll32.exe mssecsvc.exe PID 4552 wrote to memory of 4888 4552 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88cf794645baeff4a6d27baa67d81fd5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88cf794645baeff4a6d27baa67d81fd5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4888 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3940
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4476
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4000,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:81⤵PID:4516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5dde0f8b0127eb76d4f3a27ff5b732c66
SHA1246352a9436ad96da300469a3ab3bf661b918328
SHA2564592d44c0104456e6d8a1ae3d1e64feff4c0948f032ad397551e1332922188aa
SHA512e37d5a323e35a2305357812deda9418fdfeda3becb1b689272bcd36ec977554275e2d03058c68e6922af749646d289d089b074450d5db89a08f0c7ef15c3c7a7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD511e8ffc1d71eebdc634471b7442f35a5
SHA1b41aaa0841f68e50953d519217e0b9a273148b73
SHA256a6b4981c0b286f70d4d1bb51e99c24e5eb2c153ddc85abe2546020d062259d31
SHA512687d7e7d4ecdc2cdbab27abde2a6a590629edf6142c8f93ec65e6fccd5b5081ca8ae1204420589d9397487d105cba7ab5640b2c65dc4f4c9cfa9a6d588dde0a7