Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
56f5f986dea620bcf28e6d3578142d23
-
SHA1
b74134312a3fc48171f32ab00ac50798e0a32691
-
SHA256
d599760e9af9f217d574e67cec0733c7adc5f96d7a1934e4bbea050f33e42960
-
SHA512
cf2754cec156519706134f888c670bcb0f03c1c69165c923bdc1fe6307045cdc3439877c81f65eccb24b4f69e8cb91de892e2428721c3d0c5cadb220346a43ef
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc0:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3194) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1692 mssecsvc.exe 2800 mssecsvc.exe 2700 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-1b-6a-dc-7c-1f\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-1b-6a-dc-7c-1f\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B74648D-87EB-49B6-ADCF-4F477A4ACB04}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B74648D-87EB-49B6-ADCF-4F477A4ACB04}\WpadDecisionTime = 20b133176da9da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B74648D-87EB-49B6-ADCF-4F477A4ACB04}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-1b-6a-dc-7c-1f mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B74648D-87EB-49B6-ADCF-4F477A4ACB04} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B74648D-87EB-49B6-ADCF-4F477A4ACB04}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7B74648D-87EB-49B6-ADCF-4F477A4ACB04}\3e-1b-6a-dc-7c-1f mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-1b-6a-dc-7c-1f\WpadDecisionTime = 20b133176da9da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2468 wrote to memory of 1952 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 1952 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 1952 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 1952 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 1952 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 1952 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 1952 2468 rundll32.exe rundll32.exe PID 1952 wrote to memory of 1692 1952 rundll32.exe mssecsvc.exe PID 1952 wrote to memory of 1692 1952 rundll32.exe mssecsvc.exe PID 1952 wrote to memory of 1692 1952 rundll32.exe mssecsvc.exe PID 1952 wrote to memory of 1692 1952 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56f5f986dea620bcf28e6d3578142d23_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1692 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2700
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5e23d92f767cb46bceadbc9b039cb8d9e
SHA10135f4002198925423cac54ce41fc075cc03a727
SHA256114115204096ae929c882417dbedfc2ba188dc375d6156c0576c067d6766fc75
SHA51205bda9a5092758dbb400ded11cd3f780691af7184500257962f43da3dfc3855fa08ddfcaf6693f39c85b3e4b99e619b3709a8ac3d11ec94537dc368f9734d1e7
-
Filesize
3.4MB
MD5e3beae48c660a3e53b724363dcf3305e
SHA15a5ef3797b5c0299c9b73d74f3a7b00894df5951
SHA2562193d112aa2665c42288ae30efbf78516c1b3e118e07a146d439d436599a6307
SHA512b3bea954c114ad7915802f13f7f752253e0b40b43c5ac6e825e1fc5fe3e6f6b72fdfc1ddd6c393daa7521a722bb2738a421f16375cb1254877f7e8b6ce84255b