Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 04:43
Static task
static1
Behavioral task
behavioral1
Sample
a3db5991f48652f653541f9143623263_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a3db5991f48652f653541f9143623263_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a3db5991f48652f653541f9143623263_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a3db5991f48652f653541f9143623263
-
SHA1
b91e3210b47e362d217eb89d20e6e80b7300e876
-
SHA256
10e443bbe21b9c634c8ae93ade1d96a2e958294959053abc416d017ab4c01894
-
SHA512
fbe9ceb268f7e52679742d112f62e99523b8c7ca79598eac7e25f20bf4e3024c9e878426c3ed02b497b0a5b3119ec3b32a730c8adbd662b3f1bfdcbfc37bb6e9
-
SSDEEP
49152:SnAQqMSPbcBF1hnFpozmNXkMFnnxGieSPrF4VNpnA3ZmUl:+DqPoBF8zmNUMpEi5PhKNpnA3Zm2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3045) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3740 mssecsvc.exe 2608 mssecsvc.exe 812 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3440 wrote to memory of 4796 3440 rundll32.exe rundll32.exe PID 3440 wrote to memory of 4796 3440 rundll32.exe rundll32.exe PID 3440 wrote to memory of 4796 3440 rundll32.exe rundll32.exe PID 4796 wrote to memory of 3740 4796 rundll32.exe mssecsvc.exe PID 4796 wrote to memory of 3740 4796 rundll32.exe mssecsvc.exe PID 4796 wrote to memory of 3740 4796 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a3db5991f48652f653541f9143623263_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a3db5991f48652f653541f9143623263_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3740 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:812
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2608
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3704,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=4416 /prefetch:81⤵PID:1544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5870c9c6735342c61c336e2602e25bb72
SHA186fab6feeee6de49188530bffe8367e18d8fa80e
SHA25641ab8d92d0ba45a81fefbf86a6ef1411658afd45647a937a844e36376238b301
SHA51211eda36c4b6831b22ce6a1ac2a0dc8f564d7085f3e892b53b8cf57af979e7b56a479a8fa92ad14796f1df64dd10e8ccdfe835fbf9ffaf99aee2f4c301a021c60
-
Filesize
3.4MB
MD52954e43e9a430ca0318d36b7674fb5fd
SHA121fd14ce48158950e8e7e87c03d414548fb6f92f
SHA25688ac2a68beae3866340aaf750e5d71e7f65c8860b6d72ecc16004a981dbd8a59
SHA512b1b03b9536b32838d89d4de7233ee492757c95e9e68746300266294d2c45ca5dfad635cd757aad35962fde1caad46a40126d23e8e89a8c746c963db37c80f03a