Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
b44224dc93972f90ffd34dd331d0c5ef_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b44224dc93972f90ffd34dd331d0c5ef_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b44224dc93972f90ffd34dd331d0c5ef_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b44224dc93972f90ffd34dd331d0c5ef
-
SHA1
595e01adc188e91ea52423af38785e7bea6a4776
-
SHA256
57358f77e1adcd0c2f26f8f83f16f4878f8ee808b6c62a0346ac51bafae27a4c
-
SHA512
d58cea4569e6dd4b08502fed01593d19106f5ef606b81b1f4ba5f939db360b09420ee9f93f227cc539566e75b511e21ebf809855cda5aa02a6287b30f1c865d6
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0hASk+RdhAdmv1LJMfcH9PO6LLuYAME:SnAQqMSPbcBVhAARdhnvxJM0H9PAME
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2685) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 632 mssecsvc.exe 3420 mssecsvc.exe 1052 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4424 wrote to memory of 536 4424 rundll32.exe rundll32.exe PID 4424 wrote to memory of 536 4424 rundll32.exe rundll32.exe PID 4424 wrote to memory of 536 4424 rundll32.exe rundll32.exe PID 536 wrote to memory of 632 536 rundll32.exe mssecsvc.exe PID 536 wrote to memory of 632 536 rundll32.exe mssecsvc.exe PID 536 wrote to memory of 632 536 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b44224dc93972f90ffd34dd331d0c5ef_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b44224dc93972f90ffd34dd331d0c5ef_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:536 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:632 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1052
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4136,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:81⤵PID:1064
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3420
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a33c0ed170e87c6ee6a55b16f85a1c42
SHA1afd116a01be2c1493e08a3542bd1948ebeba099e
SHA2568f1209fc66228953767e25ee6f85a106b3dc084452cb8fdea35cdda3bcef841f
SHA512d9b846b253896302ca898c17ad425f9a792569f484f53ae76a714d54a739677663d1b9881fae1276b639b7591472ff7f5385cefc033a00bdad81f206a045c621
-
Filesize
3.4MB
MD579315e93e1e587369c28c10c7440cdbb
SHA164dd3537307acc6c30590833b827ba92cf0b55b4
SHA2566660203d539eb99172bd694ed2384aa2e43809ec1e9c8d43da08cf4b0edcab93
SHA512775685a3c897a82c52209fa17e1390ba2cc1b6ed8d9f755233d2f2390e848fe581d9269663105e1c48323df2b26081d19c54bfa4ffc91bd559f4105ff3fbee49