Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-06-2024 14:40
Static task
static1
Behavioral task
behavioral1
Sample
8e6bec90c3c40eeb623346a64a673c7a_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8e6bec90c3c40eeb623346a64a673c7a_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
8e6bec90c3c40eeb623346a64a673c7a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8e6bec90c3c40eeb623346a64a673c7a
-
SHA1
ca10ff363aa0dd8891ad313f3fca34b992b886bb
-
SHA256
db2102e6a647005f717126b68954b23bc7c1baa5baae3cc6a6de620caf69c9ad
-
SHA512
e1f91142b577e42a65da53f2105a2e43e962ff86bc0b87b1f91a30fbc5d7594b5a6e200b325119356c10b16c7ee8178606595320833ecb52e75c18f6993d249c
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626M+vbOSSqTPVX:SnAQqMSPbcBVQej/1INRx+TSqTdX
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3106) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1196 mssecsvc.exe 1132 mssecsvc.exe 1420 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 484 wrote to memory of 1620 484 rundll32.exe rundll32.exe PID 484 wrote to memory of 1620 484 rundll32.exe rundll32.exe PID 484 wrote to memory of 1620 484 rundll32.exe rundll32.exe PID 1620 wrote to memory of 1196 1620 rundll32.exe mssecsvc.exe PID 1620 wrote to memory of 1196 1620 rundll32.exe mssecsvc.exe PID 1620 wrote to memory of 1196 1620 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8e6bec90c3c40eeb623346a64a673c7a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8e6bec90c3c40eeb623346a64a673c7a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1196 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1420
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1132
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:2224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5ce87f80f5f2ac09c0de1e29baa323abb
SHA14e294d9380b0b62ebc73a82d1577e0d21df54242
SHA2566966177eac33ddaf15529f7772f7344f8d223ff8d97d110383fe0574d8f91ac6
SHA5125de33e9af491ffb15cec8acbb46addd04975c820499e2b49125c8c74b2a88fa3618eb92e4e79856b4234a4169a362099d0b9c5f70c599082cb84a60ef104772f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b80f0fbd7fc31d8a72ada4357505ce3f
SHA14ec89064276a24988f05fd2524b1dfa8d4f9b9ee
SHA256d69f98a929690bdc77fbc0c2e77519d9e5c93ba954f1921749961d17dd5305ff
SHA5122fdd794799d5da6f4c5dfa34d08515c3d400fd0d53e04b5d509274379b9df46207aa09ea93258338796e83b2b62a18e44eba8a925ecbd9b5c19a2edbdc64b898