Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a7e26759af6012ba56a6b9c7a46e2179
-
SHA1
47d8d54fc9984937a86f310880660463828039c6
-
SHA256
ea2751585258f3838bbfcd95d3ba740e5f80354d017f6fcee8c2c12c5bf1594d
-
SHA512
2729a61016127113ccc891448bf8be88d290f9cd3d82bc6c56521dd291307e09f4e3e907d326b06570acdf9d4736407f0adef6bd2b103903249a8b40f4d51fcb
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAM:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3271) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 8 mssecsvc.exe 488 mssecsvc.exe 64 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1228 wrote to memory of 4724 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 4724 1228 rundll32.exe rundll32.exe PID 1228 wrote to memory of 4724 1228 rundll32.exe rundll32.exe PID 4724 wrote to memory of 8 4724 rundll32.exe mssecsvc.exe PID 4724 wrote to memory of 8 4724 rundll32.exe mssecsvc.exe PID 4724 wrote to memory of 8 4724 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7e26759af6012ba56a6b9c7a46e2179_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:8 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:64
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:488
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4060,i,3549704109630749084,1975543916261970610,262144 --variations-seed-version --mojo-platform-channel-handle=4092 /prefetch:81⤵PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD50e385950e7210bba989540cbc41a982b
SHA1c1b50c80be5c5094f97835f283bc0bf183d018b5
SHA256a73d1495bbac556ed8c4b6dab883f87929a566a8d65db2e95308e3082b207fcc
SHA512c9bf020b34f14790a7479e839d5b7c5946c1c09c0e2713d302088c651c75f3e6e295d41130db972a0adef1e697bdba6c1c554d16e587628ccb92952d0a7e50ea
-
Filesize
3.4MB
MD5dd2435f261e4fa0a098d761847610b31
SHA1c277ea09565541d120eb38d21e6df06a6ae8855b
SHA2566d234a780e094198adbcbb8e31b943b0a81f56ea130a86f62d2f003cf19ae21a
SHA512eb716d8b5aff90fcfd03cab3aeae1be04d4346d20b68e28c49dc9442d9ca60f32a098061cdce5cf3f4087541413130cb5279f4bb334d1d65da013bb18b2f50fc