Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a7ad39749481cbe97852995ca17dc79f
-
SHA1
71be9aab613b8323377213ab2d0f1b27eb3b7777
-
SHA256
1fe8c9aa6cae51464d6a30e49758c0a7bdef1766b5e7f0fbc03468fc5018583c
-
SHA512
5f52ebc4eef192b98a665992fd8692857c97df63962396614c9bce1852fe8e8cb1936c3af1404acd92462d1d28c2860ea4e395f6152ed4805220fb3b0257b150
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRdSqTdX1HkQo6SAARdhgFEnAEYc8c6Ri5WN6njF2nAEYH:+DqPoBhz1aRdSUDk36SAEdhn
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3206) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1544 mssecsvc.exe 2096 mssecsvc.exe 2120 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2064 wrote to memory of 5052 2064 rundll32.exe rundll32.exe PID 2064 wrote to memory of 5052 2064 rundll32.exe rundll32.exe PID 2064 wrote to memory of 5052 2064 rundll32.exe rundll32.exe PID 5052 wrote to memory of 1544 5052 rundll32.exe mssecsvc.exe PID 5052 wrote to memory of 1544 5052 rundll32.exe mssecsvc.exe PID 5052 wrote to memory of 1544 5052 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1544 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2120
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2096
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4136,i,3671441404766730751,12082497324212183132,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:81⤵PID:2392
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a25bece31e4c4348c705d61b775cb557
SHA18287bbd0daffbcfeb3c651f949dc665b20f47fc9
SHA256fe8c7e7fe819bf178af0977c36932acaf9b2af904accfd6eff67d436ac4e57c5
SHA51257d812790a778f99b95df24bf303c980bb91b56be5916302e879a82158fb7158367c0167b9a9198fd78dc1a57e1bac1692e236b89c8ab6c46720b698e84bb171
-
Filesize
3.4MB
MD5b8c04e629eb09b7ec4ddc4bb4fa4d4ff
SHA13e71fa5abc40f30e8eea5a3af92e3eec17df9376
SHA2563802abe3243ffcbfbb8dba64faca34b985b0d07981eb56cbd31b6884ea46c0bc
SHA51211b5e1fb2abecef2e5b54871c0549e710c9509c264cfd3423de5ef727cbd67a2e9bf96e9c5935ff2a0ee2461dafd2b77e4c55365dca9715d9edf21f6e86ba326