Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 16:03
Static task
static1
Behavioral task
behavioral1
Sample
5597a3124d8b5532be08bf3dfe8ff4fb_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5597a3124d8b5532be08bf3dfe8ff4fb_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5597a3124d8b5532be08bf3dfe8ff4fb_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5597a3124d8b5532be08bf3dfe8ff4fb
-
SHA1
6bceaba53120614c6aff23f935966f038bf2b244
-
SHA256
753499a1d63d0875bf074feb0c9d81a6936fa7d1e5e0cc9acdf47cc1caeaa0a5
-
SHA512
061f1e0ae7f79cf6319c66fb8ef92b637dae0d1581d502b49807f44373e7650374b4241b35949eaf0ca159874ac25f214300e005556725b94e0a0506de2d05c5
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3302) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2800 mssecsvc.exe 2624 mssecsvc.exe 2808 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-f5-5c-3c-58-cb mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0}\86-f5-5c-3c-58-cb mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-f5-5c-3c-58-cb\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-f5-5c-3c-58-cb\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0}\WpadDecisionTime = 40ee01ef3ca9da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0129000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-f5-5c-3c-58-cb\WpadDecisionTime = 40ee01ef3ca9da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2132 wrote to memory of 2800 2132 rundll32.exe mssecsvc.exe PID 2132 wrote to memory of 2800 2132 rundll32.exe mssecsvc.exe PID 2132 wrote to memory of 2800 2132 rundll32.exe mssecsvc.exe PID 2132 wrote to memory of 2800 2132 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5597a3124d8b5532be08bf3dfe8ff4fb_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5597a3124d8b5532be08bf3dfe8ff4fb_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2800 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2808
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5dc3edd25bc4faa07cee27a0fb4e521e1
SHA117cf1414972fc5d9c232277a663d2dd6e0cad2ed
SHA256ea02e5f0feb89b67c570b907f8039f2e99939f17538c60828a643f696c5b940e
SHA512108811bc55e7380a58efdd069619d7215245c6f001f70b589aedcffc7fb079bf7eeb9ff3869351a4c86da48784d38c1aca47737120d9419b3d0d17f9f629ba8f
-
Filesize
3.4MB
MD5e4588814eacbb29b64b47eeb01db1bab
SHA17bf22134720bd2592e881270f75e93df2d9333fb
SHA256c739b3324500ba1030da69fccf59cf43da26729045293cac56718c85e2ee0317
SHA512f978c43a23589cee2e065818e1e6a701bcbc7856c68e2323c5a6e5c399c3f6d78a99be7dbb9283a98d919f35e02c6d2fedb40f2db442b13911c94ffd0bb48698