Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 19:30
Static task
static1
Behavioral task
behavioral1
Sample
56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
56676839d1325a3d51d478f79d292b32
-
SHA1
c8b24b041661f8a1f4b16691d8973961ab4a7fd4
-
SHA256
f73ef92a463852a6ab8e141805a52a85dba0ce251d8e1a2b3dc27412c25e4806
-
SHA512
880b4e1498285f6da929dc8001665e5e72ba3e6c16fc57d819429ac595fb4253789d38f5c457a7b5d3c374f3dedbd3aaaf4621f5a8e3e25279d46c571007e5eb
-
SSDEEP
12288:n6bLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+Dx:6bLgddQhfdmMSirYbcMNgef0
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3159) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 2600 mssecsvc.exe 2628 mssecsvc.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-4c-bf-fa-c7-32\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{064763DF-A25E-4BED-A124-A3EF5B565EB6} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{064763DF-A25E-4BED-A124-A3EF5B565EB6}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{064763DF-A25E-4BED-A124-A3EF5B565EB6}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-4c-bf-fa-c7-32 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-4c-bf-fa-c7-32\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{064763DF-A25E-4BED-A124-A3EF5B565EB6}\WpadDecisionTime = f0d642df59a9da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{064763DF-A25E-4BED-A124-A3EF5B565EB6}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{064763DF-A25E-4BED-A124-A3EF5B565EB6}\2a-4c-bf-fa-c7-32 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-4c-bf-fa-c7-32\WpadDecisionTime = f0d642df59a9da01 mssecsvc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 2600 mssecsvc.exe 2628 mssecsvc.exe -
Suspicious behavior: MapViewOfSection 44 IoCs
Processes:
mssecsvc.exemssecsvc.exepid process 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2600 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe 2628 mssecsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
mssecsvc.exemssecsvc.exedescription pid process Token: SeDebugPrivilege 2600 mssecsvc.exe Token: SeDebugPrivilege 2628 mssecsvc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exerundll32.exemssecsvc.exedescription pid process target process PID 3008 wrote to memory of 2752 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 2752 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 2752 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 2752 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 2752 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 2752 3008 rundll32.exe rundll32.exe PID 3008 wrote to memory of 2752 3008 rundll32.exe rundll32.exe PID 2752 wrote to memory of 2600 2752 rundll32.exe mssecsvc.exe PID 2752 wrote to memory of 2600 2752 rundll32.exe mssecsvc.exe PID 2752 wrote to memory of 2600 2752 rundll32.exe mssecsvc.exe PID 2752 wrote to memory of 2600 2752 rundll32.exe mssecsvc.exe PID 2600 wrote to memory of 376 2600 mssecsvc.exe wininit.exe PID 2600 wrote to memory of 376 2600 mssecsvc.exe wininit.exe PID 2600 wrote to memory of 376 2600 mssecsvc.exe wininit.exe PID 2600 wrote to memory of 376 2600 mssecsvc.exe wininit.exe PID 2600 wrote to memory of 376 2600 mssecsvc.exe wininit.exe PID 2600 wrote to memory of 376 2600 mssecsvc.exe wininit.exe PID 2600 wrote to memory of 376 2600 mssecsvc.exe wininit.exe PID 2600 wrote to memory of 384 2600 mssecsvc.exe csrss.exe PID 2600 wrote to memory of 384 2600 mssecsvc.exe csrss.exe PID 2600 wrote to memory of 384 2600 mssecsvc.exe csrss.exe PID 2600 wrote to memory of 384 2600 mssecsvc.exe csrss.exe PID 2600 wrote to memory of 384 2600 mssecsvc.exe csrss.exe PID 2600 wrote to memory of 384 2600 mssecsvc.exe csrss.exe PID 2600 wrote to memory of 384 2600 mssecsvc.exe csrss.exe PID 2600 wrote to memory of 424 2600 mssecsvc.exe winlogon.exe PID 2600 wrote to memory of 424 2600 mssecsvc.exe winlogon.exe PID 2600 wrote to memory of 424 2600 mssecsvc.exe winlogon.exe PID 2600 wrote to memory of 424 2600 mssecsvc.exe winlogon.exe PID 2600 wrote to memory of 424 2600 mssecsvc.exe winlogon.exe PID 2600 wrote to memory of 424 2600 mssecsvc.exe winlogon.exe PID 2600 wrote to memory of 424 2600 mssecsvc.exe winlogon.exe PID 2600 wrote to memory of 468 2600 mssecsvc.exe services.exe PID 2600 wrote to memory of 468 2600 mssecsvc.exe services.exe PID 2600 wrote to memory of 468 2600 mssecsvc.exe services.exe PID 2600 wrote to memory of 468 2600 mssecsvc.exe services.exe PID 2600 wrote to memory of 468 2600 mssecsvc.exe services.exe PID 2600 wrote to memory of 468 2600 mssecsvc.exe services.exe PID 2600 wrote to memory of 468 2600 mssecsvc.exe services.exe PID 2600 wrote to memory of 484 2600 mssecsvc.exe lsass.exe PID 2600 wrote to memory of 484 2600 mssecsvc.exe lsass.exe PID 2600 wrote to memory of 484 2600 mssecsvc.exe lsass.exe PID 2600 wrote to memory of 484 2600 mssecsvc.exe lsass.exe PID 2600 wrote to memory of 484 2600 mssecsvc.exe lsass.exe PID 2600 wrote to memory of 484 2600 mssecsvc.exe lsass.exe PID 2600 wrote to memory of 484 2600 mssecsvc.exe lsass.exe PID 2600 wrote to memory of 492 2600 mssecsvc.exe lsm.exe PID 2600 wrote to memory of 492 2600 mssecsvc.exe lsm.exe PID 2600 wrote to memory of 492 2600 mssecsvc.exe lsm.exe PID 2600 wrote to memory of 492 2600 mssecsvc.exe lsm.exe PID 2600 wrote to memory of 492 2600 mssecsvc.exe lsm.exe PID 2600 wrote to memory of 492 2600 mssecsvc.exe lsm.exe PID 2600 wrote to memory of 492 2600 mssecsvc.exe lsm.exe PID 2600 wrote to memory of 608 2600 mssecsvc.exe svchost.exe PID 2600 wrote to memory of 608 2600 mssecsvc.exe svchost.exe PID 2600 wrote to memory of 608 2600 mssecsvc.exe svchost.exe PID 2600 wrote to memory of 608 2600 mssecsvc.exe svchost.exe PID 2600 wrote to memory of 608 2600 mssecsvc.exe svchost.exe PID 2600 wrote to memory of 608 2600 mssecsvc.exe svchost.exe PID 2600 wrote to memory of 608 2600 mssecsvc.exe svchost.exe PID 2600 wrote to memory of 688 2600 mssecsvc.exe svchost.exe PID 2600 wrote to memory of 688 2600 mssecsvc.exe svchost.exe PID 2600 wrote to memory of 688 2600 mssecsvc.exe svchost.exe PID 2600 wrote to memory of 688 2600 mssecsvc.exe svchost.exe
Processes
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:376
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:468
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:608
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:2324
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}4⤵PID:2764
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:820
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:848
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:1008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:304
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:288
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1028
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2272
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2768
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2628 -
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:484
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:492
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1368
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56676839d1325a3d51d478f79d292b32_JaffaCakes118.dll,#13⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD533f61e96560dac487704a979691d0643
SHA162cc63f85ba81f4e93218951766626b316e64270
SHA256085f4b0e113d68fe8559119f38d67d0e3b1975b55df28f645fcb1cd260939982
SHA51209c3dbb906d552ae0aa39d38f0c62bebe288c04187d71aebe688a6e9f37ab515650b7a199dd1bd6600c4d9737f25259ea3ecf786e8e451a42f7198d38d0c36ad