Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 16:54
Static task
static1
Behavioral task
behavioral1
Sample
55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
55cbc01a52fd5200cd82213465f27996
-
SHA1
a217c58a62f13a8bfcc7462606078e1bf1f2f405
-
SHA256
22bbde8f39fab4ba56329699e65d93f8cff435b3f39e7b226afc268546ea8cef
-
SHA512
2435798f42d1400945e7bf5287bd54e717a157a69060390bc4ff9379b5f5256faa8ba478f9f7aec6eb30dd335de16bfb627a636d6fec01ee8d22b9042e764d85
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqpbOSSqTPVXmiHkQg6eX6SASk+Kdq/:SnAQqMSPbcBVQej/JSqTdX1HkQo6SAA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3271) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2232 mssecsvc.exe 2816 mssecsvc.exe 2744 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9B5E856-134E-4BF0-BFA7-7FD9F2CD8D90} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-3e-49-e2-93-d3\WpadDecisionTime = 30a4e21a44a9da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-3e-49-e2-93-d3\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-3e-49-e2-93-d3 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9B5E856-134E-4BF0-BFA7-7FD9F2CD8D90}\16-3e-49-e2-93-d3 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9B5E856-134E-4BF0-BFA7-7FD9F2CD8D90}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9B5E856-134E-4BF0-BFA7-7FD9F2CD8D90}\WpadDecisionTime = 30a4e21a44a9da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0029000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9B5E856-134E-4BF0-BFA7-7FD9F2CD8D90}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E9B5E856-134E-4BF0-BFA7-7FD9F2CD8D90}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-3e-49-e2-93-d3\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1384 wrote to memory of 2144 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 2144 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 2144 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 2144 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 2144 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 2144 1384 rundll32.exe rundll32.exe PID 1384 wrote to memory of 2144 1384 rundll32.exe rundll32.exe PID 2144 wrote to memory of 2232 2144 rundll32.exe mssecsvc.exe PID 2144 wrote to memory of 2232 2144 rundll32.exe mssecsvc.exe PID 2144 wrote to memory of 2232 2144 rundll32.exe mssecsvc.exe PID 2144 wrote to memory of 2232 2144 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\55cbc01a52fd5200cd82213465f27996_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2232 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2744
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ad9925c0d7fda9b48a58439dc7a287c1
SHA10e912a64bf51d481714b087b4ea10f76aea71fbb
SHA25646c128c262aa0029c228ed4313efcfa2eef29728bbd166998365429500129c75
SHA512d718adda7f8fbaa3839c998d31afa3381157642c2d824b2bb6018b5ad3631346b78d974192a6cbc88792a2f577adeec25de19768687c3fc8cc752a7632ca276b
-
Filesize
3.4MB
MD5048a675961ba94a670ab35dc30a8e39f
SHA17c7c1951edf3c1ec6a8f50e0c5d6688d7b6523a2
SHA2562b089c0115de4cde488409e0783da3ea01042f0768036725e9dad8994d00f1f4
SHA512a1bec9f9f7f8a089312099377cae2e303699672dfff08dccecd8dc3a8a19ebd9107e5fcff45cd275fae8e848a561286c3ab217a31518e7f5eb5b765777965a17