Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 23:31
Static task
static1
Behavioral task
behavioral1
Sample
5c0cd89d9e1ff7747387ab9bee7d43c5_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5c0cd89d9e1ff7747387ab9bee7d43c5_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5c0cd89d9e1ff7747387ab9bee7d43c5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5c0cd89d9e1ff7747387ab9bee7d43c5
-
SHA1
4f865521d897a753e087bb44f25fc2602b4e5b20
-
SHA256
91fb89ed984138ddff0efe9056a013f9d463ff1902f07e39e23bed48854c3aaf
-
SHA512
625502fadb3f31d20a987a39de159e66105b7b15d25e616132fc5320860b320c0ef4f07f0993c0a24ae21f32d2c621f0a4e633522b360872705a4ff2cf6dec8e
-
SSDEEP
98304:TDqPoBhzFaRxcSUDk36SAEdhvxWa9P593:TDqPeFCxcxk3ZAEUadz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3235) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1664 mssecsvc.exe 2184 mssecsvc.exe 2712 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\1e-54-26-97-c6-69 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69\WpadDecisionTime = d0c40fae44aada01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadDecisionTime = d0c40fae44aada01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0037000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1880 wrote to memory of 2096 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 2096 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 2096 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 2096 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 2096 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 2096 1880 rundll32.exe rundll32.exe PID 1880 wrote to memory of 2096 1880 rundll32.exe rundll32.exe PID 2096 wrote to memory of 1664 2096 rundll32.exe mssecsvc.exe PID 2096 wrote to memory of 1664 2096 rundll32.exe mssecsvc.exe PID 2096 wrote to memory of 1664 2096 rundll32.exe mssecsvc.exe PID 2096 wrote to memory of 1664 2096 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c0cd89d9e1ff7747387ab9bee7d43c5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c0cd89d9e1ff7747387ab9bee7d43c5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1664 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2712
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD56b6feafa11e3352d7637c80ed10aadad
SHA1f94d3f9219df5be4a7ea8241d4938553c0a40dba
SHA2565623dfc6e8a88f6f0db827ddc3088700c431d7dac5bbad6c4daf6b9845026a97
SHA512f534552f016428a08fb231bca77e641cd0b1e56ecbb4597a5e7aedc52df87c6cf9fa11df1e4ee3f011d17520d1969beefece1c289d4a5b24a46b9d522fdfc794
-
Filesize
3.4MB
MD5c23b733cb4b2e6cc839470cbbed68602
SHA13936b151af1ac7bf399ef3081f595d8c51cd9c4c
SHA25673d252a066bc6754f3f77152c099ba9889e3561523b050013f24bb16eee19d23
SHA51269e8a592ad583742ffa38752c6fce505f2c4f0491e6e77310fca55509581217bdd6a3b1ad37f63531a0b335d15d85b86af81b0bbc769b5618613937f7495601c