Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
abb8ae7154abbdfad58617fbd6e37e25
-
SHA1
666e933158146b2e09b17d4d2928f88f641e441a
-
SHA256
dc9e52ca2f0ae795394ceed7959eee45e6eb78a33757a4d274246ea33c492ea2
-
SHA512
0b4f72fe74c8c011524c8124d152ff9682378c849b02942e00b5b0d7027f7036131a47dbbaa2f5c729b19fcc95d14401cd3a2ce5ca7f133a5a55b1ed2cb8caeb
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0BkQg6eX6SA:SnAQqMSPbcBVBkQo6SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3290) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4192 mssecsvc.exe 2944 mssecsvc.exe 2120 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2064 wrote to memory of 1428 2064 rundll32.exe rundll32.exe PID 2064 wrote to memory of 1428 2064 rundll32.exe rundll32.exe PID 2064 wrote to memory of 1428 2064 rundll32.exe rundll32.exe PID 1428 wrote to memory of 4192 1428 rundll32.exe mssecsvc.exe PID 1428 wrote to memory of 4192 1428 rundll32.exe mssecsvc.exe PID 1428 wrote to memory of 4192 1428 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4192 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2120
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2944
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4136,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:81⤵PID:3452
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d714de5177b8317d3f15f161dcd7bff8
SHA1bcceeb2ab589aeff2b890f9581c7e6aac82e5a72
SHA256c87f021d535c6ab171dbc9c9c1daf084c2c1f366ba307b3efa3923fbbd1f8227
SHA51227879ecb9519653b907886a2326be55c17d0dc8a205631cef075e551548c7ad5e50ab4acba4d2cbe86387ad31275d73ae377c3b3857882a41c0df70fe35b45af
-
Filesize
3.4MB
MD53eb8205a8574d044000a515e2d445814
SHA1dc67dbb939bb21a9a187f53da19750d50e2f34b1
SHA25692f53ba1bf6dfe19b9404d5dd93c9275496933ea1bd97b83ca1c73996d13acff
SHA512740889c4b9cb4b32f2111bd85db1cc5615ad6ba9821df7cf211c05e7fb3fb5c89f406418469d98575590e15d39637cef97000ba181b0798e8bbbbd737d89233e