Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 14:44
Static task
static1
Behavioral task
behavioral1
Sample
132d93ae1cc1c7cbaed768c82cb24647_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
132d93ae1cc1c7cbaed768c82cb24647_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
132d93ae1cc1c7cbaed768c82cb24647_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
132d93ae1cc1c7cbaed768c82cb24647
-
SHA1
e93f00ef621a278ce5f1c258e3684eaf3c2505f0
-
SHA256
397abd86ac6439477432185e74eb61e26601325eff5ae4471f5e63c847826464
-
SHA512
89f7ac829907a1e5dd26cb7987f134d56307dda979120016cc11adaa9b96e2933ee0d0093a015228fdecb33e9f38a1d188153f3bc5bf9ad8251105bfefabab1c
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kISX6SASk+RdhAAt/8uME7hNZtA0p+9Z:SnAQqMSPbcBVQej/f6SAARdhV3RllAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3368) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1696 mssecsvc.exe 3724 mssecsvc.exe 3684 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4380 wrote to memory of 320 4380 rundll32.exe rundll32.exe PID 4380 wrote to memory of 320 4380 rundll32.exe rundll32.exe PID 4380 wrote to memory of 320 4380 rundll32.exe rundll32.exe PID 320 wrote to memory of 1696 320 rundll32.exe mssecsvc.exe PID 320 wrote to memory of 1696 320 rundll32.exe mssecsvc.exe PID 320 wrote to memory of 1696 320 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\132d93ae1cc1c7cbaed768c82cb24647_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4380 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\132d93ae1cc1c7cbaed768c82cb24647_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:320 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1696 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3684
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3724
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5ea407fcc303ca2f27c412f9b63121012
SHA14dd169ec76e7452ab02d445f386a0276671a45ef
SHA256fdeec88605bf3a5e2ec91af7ffd3e7f6d1897cdc1e97a5ae2af4d2fe90c897a4
SHA512851873d6b8bb23f5bcabc90ab89f54e099693ae9ba35d0b43027a84ebb2b560675f49558f0b4181d2285a4edf71415179669472b592e906e297bc6597b38a541
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD531320b6f1508a422c1715bb296b7a1d1
SHA1e5bc1632b530ef7420131ab49b75b287b66889b6
SHA25689b026d3b7e5bc1762551955e086c4cb72667afba47f5554875ec7db142120dc
SHA5129467f6c3ebefd44868b4355a35c7b5d65eb5b2484d90b04e2079a196848cdc2cf4737e20414338951277968d8bb39676c71ac30fb3bede2704773adc003f30d9