Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 23:14
Static task
static1
Behavioral task
behavioral1
Sample
abf032725f28af53d269fc015868a851_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
abf032725f28af53d269fc015868a851_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
abf032725f28af53d269fc015868a851_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
abf032725f28af53d269fc015868a851
-
SHA1
48e4c783445841ff3e67b1ae000e37f32a8bb611
-
SHA256
880ad069bad63c6d65ec14d92cf84110a86922d19d1fda0c31585d06a0f65a7e
-
SHA512
a50763dde1bcc363d47821baf6e8b6b56aa306970d718a816fb046f84188938851e3f6667d56d5fac69f5f2b41867db47c3b1bc18bd5ca3896a56ee8b59e36cd
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5RmI3R8yAVp2H:+DqPe1Cxcxk3ZAEUadPR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2665) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 324 mssecsvc.exe 2224 mssecsvc.exe 1796 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 384 wrote to memory of 3508 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 3508 384 rundll32.exe rundll32.exe PID 384 wrote to memory of 3508 384 rundll32.exe rundll32.exe PID 3508 wrote to memory of 324 3508 rundll32.exe mssecsvc.exe PID 3508 wrote to memory of 324 3508 rundll32.exe mssecsvc.exe PID 3508 wrote to memory of 324 3508 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abf032725f28af53d269fc015868a851_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abf032725f28af53d269fc015868a851_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:324 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1796
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4320,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=1416 /prefetch:81⤵PID:2596
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2224
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b913771f5dc971501b8e10ff32e5f6eb
SHA1968d79a771dc7ac3e96c27a7728039dc41b55b4a
SHA25611b31780543201d8eb3a3540240842087b05aa85782a8fcbd921d882c5d1bc3a
SHA5123a629c67d86dc8c26b73c85e1214aa7aad3d09257d84507c1ecd7d75cf9e4c2cb365d54db8a76ccaafa90513f5f4528f6eba7ffd467b265bc41fd041fdc4dfe4
-
Filesize
3.4MB
MD542c8c77f3c2fb50b6bfef06f45b666e4
SHA1f849baf0a54d5612ed9d627965a25eb338cea1ae
SHA256efb903786b443496b9e18384b657d7fdaae7afe92d276a834867bffd00c10f1a
SHA51220635978a8f975a8e2ca80cf34a4d952944047b3e3d2deb07be39ceb22b7b8bacf9a58071283a933865707f77319412f3c79970232b11edf9531d18e1922521c