Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 00:54
Static task
static1
Behavioral task
behavioral1
Sample
9005e4d095a0d9e8e85aa7f66843f0bc_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9005e4d095a0d9e8e85aa7f66843f0bc_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9005e4d095a0d9e8e85aa7f66843f0bc_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9005e4d095a0d9e8e85aa7f66843f0bc
-
SHA1
e14878beffe3b2bd36066ec8519dd7418a6aa4a2
-
SHA256
a2bede7a6af54bbc78a70f0e5753d96a4450838b5abe34f745aa65d54bed1e03
-
SHA512
62566a370b5e94ffd94b67ee53dd1a65db1c26a2260281b6d5d212ebe0dac25fdc667bd54cda454fe5d8d8e88a03edf81dca3e5ca150a31d31eb8a702e9b5f0a
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjGQAdNLKz6626kH1pNZtA0p+9XEk:SnAQqMSPbcBVQejbNRAkH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3301) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3196 mssecsvc.exe 3216 mssecsvc.exe 2992 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2960 wrote to memory of 1332 2960 rundll32.exe rundll32.exe PID 2960 wrote to memory of 1332 2960 rundll32.exe rundll32.exe PID 2960 wrote to memory of 1332 2960 rundll32.exe rundll32.exe PID 1332 wrote to memory of 3196 1332 rundll32.exe mssecsvc.exe PID 1332 wrote to memory of 3196 1332 rundll32.exe mssecsvc.exe PID 1332 wrote to memory of 3196 1332 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9005e4d095a0d9e8e85aa7f66843f0bc_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9005e4d095a0d9e8e85aa7f66843f0bc_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3196 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2992
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3216
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3804,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4000 /prefetch:81⤵PID:1272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50dd894c2b7e8b979411143e4faa423c2
SHA15c33f34321b7d8b69e207e4e8d5c74de9a94d679
SHA256779b7c918ad063f1f5aade311e168a682959a9ad559d4bdd8868a31480bb88ee
SHA51219ff1d83b915c7993a4c6de03c6196f337bf82e3700254f160adb5d972ee93b95946ad408d2361f5dda529aed52e38b0723badab7c6f5010ec62b063635634b6
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD533460411209159f501eb2983f15386b6
SHA1379f12acf27f114de91878b3a6c06ae680b99e35
SHA25685524147c1dcb9d1074ab6e2b49535aa056cd7c997500df57ce6f35a6c4b39aa
SHA512a2819fc8de31fce03211c677872d862f0f22fb56a4659af84ebf9d6824981ed620c70fb90e723146e2896255e5bc37bcab983a89c83614eda54676dd0a12358e