Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 06:38
Static task
static1
Behavioral task
behavioral1
Sample
b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b22b6d701e2a273e7de63b84050f082c
-
SHA1
38048d68ea12dac1e44d37eb8ff60b73949fac25
-
SHA256
4410461ac4c1e7c17d78d3b60e2eacbcbfeddd208c9b752613797f8a8058bdc5
-
SHA512
f6b0e5018899f161de4c80b07c655476321dea65c4a5e4288904b678f43ba0f9bade258cf3cfc74b1c45a65a16717b89f7985a36bf73b4054b35f3138c568261
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhx93R8yAVp2:+DqPe1Cxcxk3ZAEnR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3357) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1044 mssecsvc.exe 2688 mssecsvc.exe 2836 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1012 wrote to memory of 4056 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 4056 1012 rundll32.exe rundll32.exe PID 1012 wrote to memory of 4056 1012 rundll32.exe rundll32.exe PID 4056 wrote to memory of 1044 4056 rundll32.exe mssecsvc.exe PID 4056 wrote to memory of 1044 4056 rundll32.exe mssecsvc.exe PID 4056 wrote to memory of 1044 4056 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b22b6d701e2a273e7de63b84050f082c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1044 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2836
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2688
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1276,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=4384 /prefetch:81⤵PID:1376
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a541211789fa1a8a6cbbf33653546290
SHA1b6d6ec8b961310e0b39954f82d48271923688e2f
SHA2565da9e905fcc76986f6b6b7cd124452194b72e482e94fba3af3b3ff0139bf3ead
SHA51281236e532828dc892849757553571b5c61b599f52ab9eb7e55ca82a5dfab5d325ead0fe9920341366ca08e74e1c146e14dd63e8aa3ceeb7754f10ecb969649c7
-
Filesize
3.4MB
MD56c26dcffe18e718d9b44580712a31cfa
SHA1d6e9c62396f4f6c6e0016c6fd2355db4ea73d0c7
SHA25674453273a88cc6d31e8a133ad1cea962bf7a65181209fce2443ccb97e13ee4cf
SHA5121b94b8bb8fc469592deca1bf3dd80ee61bd55a024194e73ad83a60043673abbda240ee394836455e14a1d54e5486a8306ef6ed919dd582f09afc903e4d05a3c6