Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 17:50
Static task
static1
Behavioral task
behavioral1
Sample
5aaa734ecd61d2a8faf15c843cd86709_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5aaa734ecd61d2a8faf15c843cd86709_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5aaa734ecd61d2a8faf15c843cd86709_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5aaa734ecd61d2a8faf15c843cd86709
-
SHA1
5f796929bc7301c15c7e80b6ad232c8076c99de1
-
SHA256
d7a72ff750c8efe9e3e5fb8fddd60c250b3cab76118ac835ea306e1e9f830412
-
SHA512
ca720bc29b066b4c29bb48047af0b97fe7275a94ad4f41a97b102383c254211481da8c8bb23c249214732896580f7c1886da0101fe7597b598c427faaf136ea9
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdd1HkQ:+DqPoBhz1aRxcSUZk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3280) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2368 mssecsvc.exe 2984 mssecsvc.exe 2812 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadDecisionTime = 90dd57fe14aada01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1\WpadDecisionTime = 90dd57fe14aada01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ec000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\6e-24-79-be-18-c1 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2904 wrote to memory of 2368 2904 rundll32.exe mssecsvc.exe PID 2904 wrote to memory of 2368 2904 rundll32.exe mssecsvc.exe PID 2904 wrote to memory of 2368 2904 rundll32.exe mssecsvc.exe PID 2904 wrote to memory of 2368 2904 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5aaa734ecd61d2a8faf15c843cd86709_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5aaa734ecd61d2a8faf15c843cd86709_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2368 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2812
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2984
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5cabd09bbf6e65a38851007c1fa84b3c0
SHA16a0f1aff1e9ca5c8cceb6e385b96f2fcafd2a1f7
SHA2566e5334295a211e1ba5639c7688747397ea3dc63789dbd41c800b6daa5fc021d5
SHA512aa85a0886debbccc28251b9c900e14ead86cf94ed9e83405a5d3c207e4ec001cf66e511baf652c86e3c8570364988e925f70f35c938dda5702bc94ac8c05572c
-
Filesize
3.4MB
MD5e7777114d041dc7bb21c7dbe47d25b08
SHA10f849ab7d459137d33f6bdd001333bd7f2e255a1
SHA2569f891d4df21a14f582ef00570c3f358daafd44c1b72c30e24c3ec87ad89c9472
SHA512320b4442bda23bd96bd844d5de71a36cd21ab77cfcee9006a3f2905dffa3ca29f968a239f777b1df057bd8ac563db75e5aefd55ca8ff0c080b2780c2d34bad5f