Resubmissions
Analysis
-
max time kernel
91s -
max time network
92s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
17-05-2024 00:55
Static task
static1
Behavioral task
behavioral1
Sample
4d32605bc1a5c408f1a34b99fc38a893_JaffaCakes118.dll
Resource
win11-20240426-en
General
-
Target
4d32605bc1a5c408f1a34b99fc38a893_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
4d32605bc1a5c408f1a34b99fc38a893
-
SHA1
b77132e8981ce9c59cd5271ed230e8ab44ce43cd
-
SHA256
c93d64322829ede29e935e4b620b8c3777f4ea6ac8e72c127c2126b83e66ba2a
-
SHA512
8949c614a1ed3c9f87446e9bd2e073d06caa2b2190718160e13328ff9078a963005bb27ee12b35319584e404648a91de40aa7c260916d0d8ce69a9943a5004cf
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (1670) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2588 mssecsvc.exe 924 mssecsvc.exe 2276 tasksche.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4100 wrote to memory of 4956 4100 rundll32.exe rundll32.exe PID 4100 wrote to memory of 4956 4100 rundll32.exe rundll32.exe PID 4100 wrote to memory of 4956 4100 rundll32.exe rundll32.exe PID 4956 wrote to memory of 2588 4956 rundll32.exe mssecsvc.exe PID 4956 wrote to memory of 2588 4956 rundll32.exe mssecsvc.exe PID 4956 wrote to memory of 2588 4956 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d32605bc1a5c408f1a34b99fc38a893_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4d32605bc1a5c408f1a34b99fc38a893_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a81c3d7e35a3280005559ddcef569749
SHA113d8f78714b5c127a8c288ffdc81a1f6d0fe705a
SHA2563983b27334df3aa1d3d7266323bc0551dee435be0e08966811d921cd5c86947b
SHA51277c8c38ae0a19141375f9573485882386196a348e3246fbf3a32fd1087eb6a99e7897f50d10d02114d4c4b2b4480f226c9a9efcea63cc8d3df799af5ce883aff
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56ea306ffbf10904cf1738b501ddb2635
SHA12b0a99db1c72bafe1ecac594bd92f9264f95c2d2
SHA25675f2e5d3e43f3372d94a525ef96cf8f82568093679f7120ac68e49dc68d0e91e
SHA512bea52683ebecde3c4813d41f766dd8919a5d0fd99ae22df3bfe54c76fd6ae716fddac63172b267e03dc72147fb00e8b1f517f853c0c99164f7b3388f64ddeb60