Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 22:28
Static task
static1
Behavioral task
behavioral1
Sample
5bcf369a4097b8056922510ad87e79e2_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5bcf369a4097b8056922510ad87e79e2_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5bcf369a4097b8056922510ad87e79e2_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5bcf369a4097b8056922510ad87e79e2
-
SHA1
37c351addc6665ea4a00c7d82d7072042b814bf3
-
SHA256
655b2581303778df55a5f50edeb62e237ac93187f69168feb2102741a75d8c1b
-
SHA512
9a38561cacd885cdc85487d0fcf2e8b4d2ac39438d5ea6c870df9f2544567992624502b68326fc68018da7ca1b60de105578b6a78ec54bf133356118dcd4e8ce
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQ:TDqPoBhz1aRxcSUDk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3328) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1440 mssecsvc.exe 1920 mssecsvc.exe 2684 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\1e-23-d1-8d-c2-2d mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DB144E88-B32C-4522-A1AB-8DC0D4B37D4E}\WpadDecisionTime = e000e6df3baada01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecisionTime = e000e6df3baada01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-23-d1-8d-c2-2d\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2164 wrote to memory of 2396 2164 rundll32.exe rundll32.exe PID 2164 wrote to memory of 2396 2164 rundll32.exe rundll32.exe PID 2164 wrote to memory of 2396 2164 rundll32.exe rundll32.exe PID 2164 wrote to memory of 2396 2164 rundll32.exe rundll32.exe PID 2164 wrote to memory of 2396 2164 rundll32.exe rundll32.exe PID 2164 wrote to memory of 2396 2164 rundll32.exe rundll32.exe PID 2164 wrote to memory of 2396 2164 rundll32.exe rundll32.exe PID 2396 wrote to memory of 1440 2396 rundll32.exe mssecsvc.exe PID 2396 wrote to memory of 1440 2396 rundll32.exe mssecsvc.exe PID 2396 wrote to memory of 1440 2396 rundll32.exe mssecsvc.exe PID 2396 wrote to memory of 1440 2396 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5bcf369a4097b8056922510ad87e79e2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5bcf369a4097b8056922510ad87e79e2_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1440 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2684
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1920
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD53e00e530b237ba2a197c7537e3b72c38
SHA1928f7390c71aa53a9bcda12acb0b22f681261c54
SHA2568fb5c80c995c40e0a64dd13dedffb17061968b54c4be43d4d7feed1fdc79abda
SHA51222c53c36be4c923820a80f608dd28c968e316962bf054528657b38202b250120cda6d51844b75a3bede4bbfaf81faf0508fbd99a70e9343938728de0d7d3a95c
-
Filesize
3.4MB
MD57ecb4baf9506742fbb1b7c6d2dd1504c
SHA1b2c64143fb2771bb6e56b9fdf9aabd32ea027a10
SHA2567473c398611ef8dd88f13039a4da33368ed0ac5ff02ec7c96b1d17420288652d
SHA512f5cf7bfc3da1102508a7244721a2fffe4ced382cccc9ba921dc97a44533f824489ded9ca069984e49178244efefeaa28c3dda397dde21cff91357c65de6269d2