Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 07:42
Static task
static1
Behavioral task
behavioral1
Sample
ad5ff179e68ed35256c984950591fe9b_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ad5ff179e68ed35256c984950591fe9b_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
ad5ff179e68ed35256c984950591fe9b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ad5ff179e68ed35256c984950591fe9b
-
SHA1
fd7989ee0db90d1bcc73a887d290d78758423964
-
SHA256
f481c567094d1a2777b52fa81b7ae1becb4352e6ef1d02e6a17765806daab1d7
-
SHA512
d677fcee4d8f4060f2004dd523e924933b2397c45b9c3a2b720d2306daac10c73c08b8a45d31ecea4666a56aeb786ec584df582517e0a9a68ef5460a2d421ae5
-
SSDEEP
98304:+DqPoBhz1aRxcSUZk36SAclNw/9GkSM3:+DqPe1Cxc7k3ZAcoS
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2687) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3744 mssecsvc.exe 4100 mssecsvc.exe 4684 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 212 wrote to memory of 4040 212 rundll32.exe rundll32.exe PID 212 wrote to memory of 4040 212 rundll32.exe rundll32.exe PID 212 wrote to memory of 4040 212 rundll32.exe rundll32.exe PID 4040 wrote to memory of 3744 4040 rundll32.exe mssecsvc.exe PID 4040 wrote to memory of 3744 4040 rundll32.exe mssecsvc.exe PID 4040 wrote to memory of 3744 4040 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad5ff179e68ed35256c984950591fe9b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad5ff179e68ed35256c984950591fe9b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3744 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4684
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:81⤵PID:4272
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5945668fe3772357cb8d6ce144b441e78
SHA1babee5c9880e4fc87a193ae5d5cd8873c6c7cac0
SHA256359e0487cf6a22cd9c7736ac09c3eee0d616d38fd62e2fd4e52552f7adb18d7d
SHA5126acb2828fbdb1c586c6ad5f4b1241310089c62f8369a57b97c0237fcdd601a2f9d7b2ed66d7c13bd584c293f1d79356d187de82a443473bde3f9d9cbfa68d263
-
Filesize
3.4MB
MD53361ca997164f29dcc3a75ffc9b0c6fe
SHA10cd5d7d4aa10e1d1280f7d884cac3c5eb13b3539
SHA256840686221c9c5c28a2ed2adda6f46f89e726aef1a6a1ff33c88be22cf81508a5
SHA5127f229102f020549b15d7c2c5ecc4b651a46fe787da866f9a549b6ef67da9605c3c0aa47eaaab7752a09f53bbc1d977bea82e7510278f105f6e73a66ecfba35a3