Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 07:52
Static task
static1
Behavioral task
behavioral1
Sample
53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
53b1c379f045426c1e90ae72a411a7b0
-
SHA1
0e69bbd360d8b77280411d828eba74935bf9a76f
-
SHA256
96980e2650d9389d0f72f8271eb54a26d86c599789ee0d3fc4bfb826b0eda2fa
-
SHA512
b059ff053a6a83e95c589b6e13aee88082a7202b882d91bd0d185ed9b8d6a56431d9efeb5c9914a3fb3f8dc7e64b8c3111e2993c6b04db9d7c8be0f9e0268235
-
SSDEEP
49152:znwQqMSPbcBVQej/1YNRNSxCDQatcqPc2r+6h40WpVgbgm5xz2Il23ZzgttoIvuv:TTqPoBhz1KRVY9gqBQcQQ
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3207) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2908 mssecsvc.exe 2668 mssecsvc.exe 2444 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB99B839-4A51-4716-BAD6-EB608CCB2021}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB99B839-4A51-4716-BAD6-EB608CCB2021}\3e-aa-44-9b-cd-bc mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-aa-44-9b-cd-bc\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB99B839-4A51-4716-BAD6-EB608CCB2021}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB99B839-4A51-4716-BAD6-EB608CCB2021} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB99B839-4A51-4716-BAD6-EB608CCB2021}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-aa-44-9b-cd-bc mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-aa-44-9b-cd-bc\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB99B839-4A51-4716-BAD6-EB608CCB2021}\WpadDecisionTime = c096c362f8a8da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-aa-44-9b-cd-bc\WpadDecisionTime = c096c362f8a8da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1568 wrote to memory of 2872 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2872 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2872 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2872 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2872 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2872 1568 rundll32.exe rundll32.exe PID 1568 wrote to memory of 2872 1568 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2908 2872 rundll32.exe mssecsvc.exe PID 2872 wrote to memory of 2908 2872 rundll32.exe mssecsvc.exe PID 2872 wrote to memory of 2908 2872 rundll32.exe mssecsvc.exe PID 2872 wrote to memory of 2908 2872 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1568 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53b1c379f045426c1e90ae72a411a7b0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2444
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2668
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c617575d4b84aa326618ff57b15c8f68
SHA115940ac6ea18245b50a803c1e93072141460e51d
SHA256c2cef4b60170d11927ab5adc19c87251c604a4c070aef560883a20c037e7426d
SHA51246706d77398f0dc982ffb5a23d4e973d1591dd7d3c6e94c2be7ef5b76e4b12f7786d331c941a0d752592ee5959589f7513854477aa1f24a23239be71f8b98f41
-
Filesize
3.4MB
MD5ffb7d6d6c887ea3959edaa4c5af25c56
SHA1e487620f1c68f8f1dda6709a69528665cd2e9631
SHA2560961903f48291047625bec39b5623ce9a4c82ffba812687fa5368d6c5d3db764
SHA512e7e6ac22c230e1850773319542d9bc7a3da30a643faf7fd6be3e2fafb98d950a9fcc96a34a201a74f0f157fcfa5c6d197dc0ea75b54ba43085e0575dd2368a60