Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 18:59
Static task
static1
Behavioral task
behavioral1
Sample
564ee3bd9772165b78ad5bb17cb1a1cc_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
564ee3bd9772165b78ad5bb17cb1a1cc_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
564ee3bd9772165b78ad5bb17cb1a1cc_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
564ee3bd9772165b78ad5bb17cb1a1cc
-
SHA1
0b4d231ef30ae83c392c6aea19adbf6a914cbd05
-
SHA256
ecd02032a29ce1e0dc3221bfadc26378a0d70d31af9b979e27b9cc3c15ebd556
-
SHA512
e907dabc8d6f6db1a973d5ecc8cb910dafd50f6ad07dd54efab9cb4c6f5ea020208e020d11e4f2f9f4169a900d2cf3d30245bee243112ef4b37d477a957bb7b2
-
SSDEEP
98304:TDqPoBhz1aRxcSUDkKSV8tAT2q9c5fDaNwbQf1YTza3R8yAVp2H:TDqPe1Cxcxk5W82q9ctOi46ER8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2968 mssecsvc.exe 2132 mssecsvc.exe 2676 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-32-83-09-e1-3f\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538}\96-32-83-09-e1-3f mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00aa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538}\WpadDecisionTime = 40c4e88755a9da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-32-83-09-e1-3f\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-32-83-09-e1-3f\WpadDecisionTime = 40c4e88755a9da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-32-83-09-e1-3f mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2196 wrote to memory of 2952 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2952 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2952 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2952 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2952 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2952 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 2952 2196 rundll32.exe rundll32.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\564ee3bd9772165b78ad5bb17cb1a1cc_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\564ee3bd9772165b78ad5bb17cb1a1cc_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2676
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a078919b41cb5f2910f173cfeeeece01
SHA1c85e73c603b5f5a24ed56dc345d8e1e4c3f97ffc
SHA256be31b854aaf05322fc57155f33aa4dd25ad03f8ea4ae29cc43f6f7b9565d83d5
SHA512db13a39e5606f20b85ea04eccfa1afe45e668420916fb39cded3d3f849d2c337d6897f13d2e4564a5b51ba701591e083cb9b9d4e02b99b9004ef45c9277776ee
-
Filesize
3.4MB
MD57794ecf854788633840ba9a189643fed
SHA16c845989bc09c4dd7709f323f0f07224786c151c
SHA25603c8ad9400ffa45d423936bac98879b1973c1210641da3e7061f6c21932c9ba1
SHA512ec44f726b55d2cf4dbe87530d19cffa52687fadbbddf100933023b9405def738772464224c064820ca3c8b70c7576232123656dafffbd426a18e8f7ad9d5fa94