Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
b038fe3b829caf3fe7859062d9162395_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b038fe3b829caf3fe7859062d9162395_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
b038fe3b829caf3fe7859062d9162395_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b038fe3b829caf3fe7859062d9162395
-
SHA1
671f8f85a4cf4bb935c3106644f696d31058d36c
-
SHA256
56a84c68fdbbb62f8b30e56d144b6b4b9e352699983f135afb354fab64e25656
-
SHA512
d48f059a8c40c2a0faa7229a24c9b7ce31e0cd5f5da9972cad7579cb82154ec46bf6b1870a122a8871f2194a54ae5a8f55c784d02fd17723ae013d94ce2c3f90
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQ14kF2Y9g:znAQqMSPbcBVQe2dw
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3187) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2400 mssecsvc.exe 408 mssecsvc.exe 5024 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 468 wrote to memory of 1820 468 rundll32.exe rundll32.exe PID 468 wrote to memory of 1820 468 rundll32.exe rundll32.exe PID 468 wrote to memory of 1820 468 rundll32.exe rundll32.exe PID 1820 wrote to memory of 2400 1820 rundll32.exe mssecsvc.exe PID 1820 wrote to memory of 2400 1820 rundll32.exe mssecsvc.exe PID 1820 wrote to memory of 2400 1820 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b038fe3b829caf3fe7859062d9162395_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b038fe3b829caf3fe7859062d9162395_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2400 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:5024
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:408
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3744 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:81⤵PID:5100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5652a70bb771fbd710a174b9fcdbd5109
SHA1bb1205e50bc6aee1d2ef17b8224b1dd3bf2ae455
SHA256fac660b921cc10907653b48b44f81ef2074a899e0ac5b2c537185362a4cf0f18
SHA51275bf75077c1e91dbbf20dcaad29eac25f0aa02e76be9468cb3d0ab77f3397f66a66a9de908879cada7203f5a0ab1b3ce717d9ca03ca3cf22ced475161fa3a77e
-
Filesize
3.4MB
MD5bc7fcce3ef434336c50d56a17ce7f80c
SHA13882f38175b0d7c6b1995d1e21282587393c17f2
SHA2562ea82a2769c6f4c963a22ebbd2f9c6cfdd3b6dc7912c30c1b7ca1447c6b8c3bc
SHA512d3149de4103f840d541d97c3825c1ee9b1fad65daa89d852292395c265c4b21fddd4b0820d2392c0bdac8d7395c53606bfda67332e37b5348e90e48dc492eb1a