Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 04:24
Static task
static1
Behavioral task
behavioral1
Sample
32b3efdf648ce7883be0f968f0c9ff52_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
32b3efdf648ce7883be0f968f0c9ff52_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
32b3efdf648ce7883be0f968f0c9ff52_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
32b3efdf648ce7883be0f968f0c9ff52
-
SHA1
00275d760562de465266baa81d8f08e18f9931fc
-
SHA256
8d764975d177f564eded856e9216f0ed154042a6dae2b7a81acdd326c26dbea5
-
SHA512
653708979bc20187cef928f0c2710c69dd6f5e47aea0ab88d468242514c740564cd63985927aa4fad693ae17d83839dfbc9cb254db03769f08ff712e4fc8e784
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3288) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3644 mssecsvc.exe 3272 mssecsvc.exe 4584 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3956 wrote to memory of 3408 3956 rundll32.exe rundll32.exe PID 3956 wrote to memory of 3408 3956 rundll32.exe rundll32.exe PID 3956 wrote to memory of 3408 3956 rundll32.exe rundll32.exe PID 3408 wrote to memory of 3644 3408 rundll32.exe mssecsvc.exe PID 3408 wrote to memory of 3644 3408 rundll32.exe mssecsvc.exe PID 3408 wrote to memory of 3644 3408 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32b3efdf648ce7883be0f968f0c9ff52_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32b3efdf648ce7883be0f968f0c9ff52_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3408 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3644 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4584
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD522785c60f359a179c47fd348823876df
SHA1a60b6cb653f67269b6060982857ecc1454f8738c
SHA256d8ca1e199c6db534860f595f4728cdc0138e3553654cc897e4a0ae03c27eedcf
SHA512534bf505f36673d9e23c4bea08d3e25b3e4325fa9efdaf16c6bba5570ca58ea35b8a053b04814d0054c708f234fd2dddb0224016f4f31b0d3987a2d8f5c66fe4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD529c65c871d14c5f61092a6214e922507
SHA1c2e8769007f97c1a79e44d07924211228f2bb912
SHA256f84aa4eb7458846c58ac129227b9c1838757ed2ac3a801e4041585ce576fedec
SHA5128cec670bc4142dd175fb8e20745a2011ddfa4332b1efbd6984aeef4827fd2c2669c2862c40059c09dddd6a446dd22916c97730c17c39a09c67ce992517c097b0