Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 12:06
Static task
static1
Behavioral task
behavioral1
Sample
a9981f085be37a7911978dadd3596379_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a9981f085be37a7911978dadd3596379_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a9981f085be37a7911978dadd3596379_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a9981f085be37a7911978dadd3596379
-
SHA1
f79c43f6032339d9c3845f3188f15010311c173e
-
SHA256
46fb5d108b98f5d7ba3e3d9d8eb47078d5de6e4a93a2a15ba35038cd9eac7416
-
SHA512
6befc04ee4562ef8757d9443b58b26eaf95e1af430cf25b3e7face5a05a40cb774565a8b3035a346bcc2a002a49b1f5dfa4bf16ef4614e351ce4f7e543d83f03
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5K3R8yAVp2:+DqPe1Cxcxk3ZAEUadeR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3341) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3400 mssecsvc.exe 2872 mssecsvc.exe 3496 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 5016 wrote to memory of 4056 5016 rundll32.exe rundll32.exe PID 5016 wrote to memory of 4056 5016 rundll32.exe rundll32.exe PID 5016 wrote to memory of 4056 5016 rundll32.exe rundll32.exe PID 4056 wrote to memory of 3400 4056 rundll32.exe mssecsvc.exe PID 4056 wrote to memory of 3400 4056 rundll32.exe mssecsvc.exe PID 4056 wrote to memory of 3400 4056 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9981f085be37a7911978dadd3596379_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9981f085be37a7911978dadd3596379_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3400 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3496
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2872
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3884,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1292 /prefetch:81⤵PID:1764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a6cf0063c310eff7191fba13053327e3
SHA1edc0de3f1e1e95bee18dcf2fbfe3ed1e41047c73
SHA256ebe23a239ca7be087cf17fe324379bb2f86fa1e2051b72e945254f83e453f1bf
SHA51286d3e472de58185a6d0c763398c067bb1ecff20f848322a58aa5024435ffcc565f6de363b770960589b9223542fcf23379e9e00f2bfb98d70255c54425fb468c
-
Filesize
3.4MB
MD510257bc6a0be95ba773b16aa106767a3
SHA17c5a6de791c5791293b8ba9306f2cd1bd30dea8f
SHA256342ce7cab19d9404536f07fa585da89adb3a86cb8bfedfba8fa32e60698a93e6
SHA512eaffdfed2de4da4727975a0c365ad636f6e842f724fe29840ad7bb4380c0cc32aa7ccbcb92a68013e798750b0e58f4c748df1a5bb9722aad3c07636d49e998b7