Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 05:16
Static task
static1
Behavioral task
behavioral1
Sample
532d2aa524c740fb4a2872f3a2e832ed_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
532d2aa524c740fb4a2872f3a2e832ed_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
532d2aa524c740fb4a2872f3a2e832ed_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
532d2aa524c740fb4a2872f3a2e832ed
-
SHA1
c7a3793513330e3506c63c3b96d15587961b7cb3
-
SHA256
b344f5188b656c7793b071d8fa426594bccc088850daa754fca36aea5a02336f
-
SHA512
40c192ae6dc85c1efb25ee5d29f657026de40221b79932c5def962b5da98456d79d56692a8c1d190fc8a40b75c8dcad3564e0f79bbbd33e9df237faabbff730b
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3135) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 4516 mssecsvc.exe 3152 mssecsvc.exe 4848 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1468 wrote to memory of 5044 1468 rundll32.exe rundll32.exe PID 1468 wrote to memory of 5044 1468 rundll32.exe rundll32.exe PID 1468 wrote to memory of 5044 1468 rundll32.exe rundll32.exe PID 5044 wrote to memory of 4516 5044 rundll32.exe mssecsvc.exe PID 5044 wrote to memory of 4516 5044 rundll32.exe mssecsvc.exe PID 5044 wrote to memory of 4516 5044 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\532d2aa524c740fb4a2872f3a2e832ed_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\532d2aa524c740fb4a2872f3a2e832ed_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4516 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:4848
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58892575d1e40c5b1dde7a28b4482284c
SHA13a4829e7e4f5b971b77fa24ef1580380ae421f9c
SHA2568e02f2f82b20e4ba86ea9e401ac0dcd0caed08c9fd9f4d52190737d5c0866cf7
SHA5122099f769466a6de09b9d9b90ee740f7cab78bf183472fb72daa4494478ba8fd49c1800326c4606ee360537549d621caa1a3c7f752f6eaa4efef927fa6b7c3f08
-
Filesize
3.4MB
MD50631566ff11abecff0dd421d3c1670e1
SHA18595d74acbb4879ea3ebf11cf51d8bca334a2d0a
SHA25698769aad0201df690a92fe6e6c4b8c368109eeac7deca69f8214c92da4b42ea1
SHA512a41c4b2c1031ca8397fd3e20a3316b177cd07aa59b32f9460c9c6afb6e9fd33cf06785b3754d551a740ffd39eae2049a8fc41964fc4ac0a73928c61a3e8c759a