Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 21:29
Static task
static1
Behavioral task
behavioral1
Sample
5b8fb99dcfc1089a3abced87b213a7fd_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5b8fb99dcfc1089a3abced87b213a7fd_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5b8fb99dcfc1089a3abced87b213a7fd_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5b8fb99dcfc1089a3abced87b213a7fd
-
SHA1
220bd0fb997d2a212ebef550d4f3c05230ee3379
-
SHA256
2a529b40784ededb4ff870f10dfe9c1f004706f24196f1ec97ea7139255bc129
-
SHA512
2b21c0e61960e68d095687d9e81d32b1560fe44a6b2729cdc6ad9e5d88475f15f3388502589f136eabc8ff4b35ba4b8576ab3c923a2c2170eb998731efed1571
-
SSDEEP
98304:+DqPoBhz1aRxcSUk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxci3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3229) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2020 mssecsvc.exe 2648 mssecsvc.exe 2808 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-d7-91-d0-6c-46\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-d7-91-d0-6c-46\WpadDecisionTime = 20f783a033aada01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\WpadDecisionTime = 20f783a033aada01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\ca-d7-91-d0-6c-46 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-d7-91-d0-6c-46\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0134000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBD2E8A4-5F4B-4FFA-BA53-285F199F15D1}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-d7-91-d0-6c-46 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2040 wrote to memory of 1284 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1284 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1284 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1284 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1284 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1284 2040 rundll32.exe rundll32.exe PID 2040 wrote to memory of 1284 2040 rundll32.exe rundll32.exe PID 1284 wrote to memory of 2020 1284 rundll32.exe mssecsvc.exe PID 1284 wrote to memory of 2020 1284 rundll32.exe mssecsvc.exe PID 1284 wrote to memory of 2020 1284 rundll32.exe mssecsvc.exe PID 1284 wrote to memory of 2020 1284 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b8fb99dcfc1089a3abced87b213a7fd_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5b8fb99dcfc1089a3abced87b213a7fd_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2020 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2808
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2648
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5041b27b42ab74cb6ce9723a0b6475426
SHA1ab3441590d43921d7a6d0bd8875bbb089c7a88d7
SHA256265a57fe143250be0f032dddbd3c7a219969d0a09172b1bdb91eaabc2ae39b19
SHA51232786239de6f5cee56ee8a68faa4a7b9916e2db5bbb69d1f5d4236189789531879c7531c9409af77d3fac679f319c46a38af3796374ca71d5d8ef1922075ac4f
-
Filesize
3.4MB
MD5233e77fbd64fce3df5d4e1dbf2d5222c
SHA1deeea9b45bcc575790236ac9db9730ec9dc14ea6
SHA2562aa9788c06731fcc190c1f67ff7dbc4c87340b563acbd02df6e9e3f1ddd3f963
SHA512e5889bc5bfaa73d62d9d9d94c769690867059672a10d494a0131389a51e9c018fd97cc93d1b2be24b484924c77910a60d32b6cdeba8bca4eaeac6694ab8092b0