Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 18:24
Static task
static1
Behavioral task
behavioral1
Sample
5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5ac6c60b8d52c546cf33cc04eda2fb18
-
SHA1
7b4968ef7409ccae84ac1bd22814dd5d41069f0b
-
SHA256
e0475dd17f50e05ef796dc93da5e2e8f65567998ed4b4783eb7865f2be82b023
-
SHA512
5cf29473d2f0a14c3b51b22088d16ecf81c3ca050348a91187fcff357513da071a383882599d6f8f9ea2a7c0a6d1c53081f43a3f44d33c78a3a66f834a6cb645
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7:zbLgddQhfdmMSirYbcMNge
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3083) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2420 mssecsvc.exe 2644 mssecsvc.exe 2628 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6}\WpadDecisionTime = 106562c419aada01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-97-1a-02-a6-45\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6}\fe-97-1a-02-a6-45 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-97-1a-02-a6-45\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A24D26E-8C8B-4F97-89FE-EC494E79FBF6}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-97-1a-02-a6-45 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-97-1a-02-a6-45\WpadDecisionTime = 106562c419aada01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2128 wrote to memory of 2408 2128 rundll32.exe rundll32.exe PID 2128 wrote to memory of 2408 2128 rundll32.exe rundll32.exe PID 2128 wrote to memory of 2408 2128 rundll32.exe rundll32.exe PID 2128 wrote to memory of 2408 2128 rundll32.exe rundll32.exe PID 2128 wrote to memory of 2408 2128 rundll32.exe rundll32.exe PID 2128 wrote to memory of 2408 2128 rundll32.exe rundll32.exe PID 2128 wrote to memory of 2408 2128 rundll32.exe rundll32.exe PID 2408 wrote to memory of 2420 2408 rundll32.exe mssecsvc.exe PID 2408 wrote to memory of 2420 2408 rundll32.exe mssecsvc.exe PID 2408 wrote to memory of 2420 2408 rundll32.exe mssecsvc.exe PID 2408 wrote to memory of 2420 2408 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5ac6c60b8d52c546cf33cc04eda2fb18_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2420 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2628
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ac15c0ef7b0cfd62f087ccb06db91f5d
SHA197c55ce90ecb1197d39c4b3c3f954bd8105c1c31
SHA25640c89149489eb496635372b379a8f5437c01013d0119a480031a183c9fff4b37
SHA51290de24ed02957057ab5dcb5e97fc03f1165ac97dff491709854eaec2c959c65e10b8a1ca17ee87d3a147d0c6b22d55b86ca99c8365e794271a0179dbf6cf3c94
-
Filesize
3.4MB
MD534f58fbfb5b65d11ddc3b677b9907737
SHA1c5e77e73425a71201303fdc5d9ad47d466c57a4f
SHA256d1843b9bbc6b2b0ada802108622174ec06a7602f072d72f9b94f1061ba174e03
SHA5123320d98e7eb92cda02aff16e7cd47b2c2ca5c7e43b581bc78fa1321f82ccb85f0bf619071e3cb5304a4ac526cb9f4cc5c1e1533c8035ebc2f4000211ea12f1d5