Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-05-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
32d9c2457554ed6c883eec0a7c5228a1_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
32d9c2457554ed6c883eec0a7c5228a1_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
32d9c2457554ed6c883eec0a7c5228a1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
32d9c2457554ed6c883eec0a7c5228a1
-
SHA1
68f6e1fe94e61e71d5125de5f24f5473726d0092
-
SHA256
f37ea72f42c0f96a9a638a61dc80ea56cba6e416f08a6d66995d3414010d419d
-
SHA512
4f6576ef0e88a69a57c44a13ea91d45718963e1fc5b14ac487f4c6fb6dc9b7337d86b6d25fdc51e9dae306d81d908b60ebb5b94ca5cdd5886a86b17d9c7b6232
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEys+593R8yAVp2H:TDqPe1Cxcxk3ZAECzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3373) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4160 mssecsvc.exe 624 mssecsvc.exe 5004 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1080 wrote to memory of 960 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 960 1080 rundll32.exe rundll32.exe PID 1080 wrote to memory of 960 1080 rundll32.exe rundll32.exe PID 960 wrote to memory of 4160 960 rundll32.exe mssecsvc.exe PID 960 wrote to memory of 4160 960 rundll32.exe mssecsvc.exe PID 960 wrote to memory of 4160 960 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32d9c2457554ed6c883eec0a7c5228a1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\32d9c2457554ed6c883eec0a7c5228a1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:960 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4160 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:5004
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5c9df0c59d8d62f3cad3abf93a0ac0302
SHA1abb093c67c498f1fb1fa9adc179163a16595003c
SHA256fd4dee52b9b3d1f88da60f9afd9d5898b7aca5350449bad83ad9decd8ab2b8b0
SHA5121f577aa1d654f1f6a3de20fbe35aa4c14c108286b129c8d9443d9f167a219b54e774cf02de42ef9d1851d740792a11a634e6dd9bf1bdd9fa533fa150f994ec4a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5cfcfde8965410063a68b7f638bb0f766
SHA1f152c2d9be199932b5f65bc815f3411da1b9e10c
SHA2563aacdf6cccc1d9d3bf5a99d328705c04d2fcce4557e06ac4494243c81b1da350
SHA5121f9ac9a9ebc1a794e7e30463272420858d1186da44edda882927dbc2cbd45a4585350953fbfa5ae53ab552d8901609257f7e973d1f89ae7ffa9bb5f97ca346ff