Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
914fa8b79986c8b1811f42daf3858e4c_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
914fa8b79986c8b1811f42daf3858e4c_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
914fa8b79986c8b1811f42daf3858e4c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
914fa8b79986c8b1811f42daf3858e4c
-
SHA1
769a5a99cb0daeb4817f6e5708a31387cd49fc8e
-
SHA256
0a7ae3f256bbea33dafdab8ac7bfe206c2527a03bd6f3f4185ebd4c8593f170c
-
SHA512
24ab0f9127850edd312ecd352815049496aa06cfef13b5c0a89f234678b84a2ba6914d3454ce793b8fb08e2f03de8bbb7d6206ec9f1d9792c927930be2bd7230
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJMDlAH:+DqPoBhz1aRxcSUDk36SAEdhvxWD2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3264) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1512 mssecsvc.exe 3184 mssecsvc.exe 2720 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2040 wrote to memory of 2136 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2136 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 2136 2040 rundll32.exe rundll32.exe PID 2136 wrote to memory of 1512 2136 rundll32.exe mssecsvc.exe PID 2136 wrote to memory of 1512 2136 rundll32.exe mssecsvc.exe PID 2136 wrote to memory of 1512 2136 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\914fa8b79986c8b1811f42daf3858e4c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\914fa8b79986c8b1811f42daf3858e4c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1512 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2720
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3184
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=4424 /prefetch:81⤵PID:2360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57a080215151f1f312751bb7941ee8f86
SHA15ff418d9ca40ba961eddc114b1e18f52eff66439
SHA256926e5bdd79bca9420867e9f44c11688c42164885b317df7cea9c1b52ba83d5ec
SHA512946c646fa0f5d904bf428e14985164ef090bc3f8944a097f9eded0d8977a3db39ef894b3c6e1fec2bb957a2853e1ffafa33c41ce189ea36960afbc26b31bbc1f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f4eebe38c2a8a8e973e09c4a51a6cbbf
SHA1667f5bb9b97a4073beeb2e60c8e59f7777145ee3
SHA256c48a9f8243ea58d1685a5859c11108e4d2b9c0812aa8812be9ae2d273a648082
SHA5123091a415df2098f6883c504bab7279c30d92c6c509fd541b3ca3cb6c807b7e9a052cda93bc7b23379e04411d282e595db9428859c06f8edb19ed023f5dfba844