Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 03:22
Static task
static1
Behavioral task
behavioral1
Sample
5cedf628866eef92df09341a720db13c_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5cedf628866eef92df09341a720db13c_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
5cedf628866eef92df09341a720db13c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5cedf628866eef92df09341a720db13c
-
SHA1
0f7579ba3e6e41fe8211d0e90ceb0d1cec645ec1
-
SHA256
b641037e26c57e6f3839df9d388ec8d2c3167090e313f89e8b5012dbc3830b1b
-
SHA512
e666c6e857105d32c34d8f8f4a489d915b472ef174c65fa3b50f9fca63db73f7d118fc22566d212b906973e6a420cf361f494320a2624b0e5390dc898542183f
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kI29PO6LLuYAMEcpcL7nEaDNZtA0p+9Z:SnAQqMSPbcBVQej/N9PAMEcaEaDlAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1184 mssecsvc.exe 3052 mssecsvc.exe 2780 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadDecisionTime = c0423fe664aada01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f\WpadDecisionTime = c0423fe664aada01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\36-74-31-ab-04-6f mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1252 wrote to memory of 1824 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 1824 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 1824 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 1824 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 1824 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 1824 1252 rundll32.exe rundll32.exe PID 1252 wrote to memory of 1824 1252 rundll32.exe rundll32.exe PID 1824 wrote to memory of 1184 1824 rundll32.exe mssecsvc.exe PID 1824 wrote to memory of 1184 1824 rundll32.exe mssecsvc.exe PID 1824 wrote to memory of 1184 1824 rundll32.exe mssecsvc.exe PID 1824 wrote to memory of 1184 1824 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cedf628866eef92df09341a720db13c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5cedf628866eef92df09341a720db13c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1184 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2780
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5aff14b466d82984703b5628328cf9ddf
SHA10b4118a94826ce74040ae2daaf3c625e6dbf5096
SHA2563eefb2cfe6d4e562165a9d404f3b25e84e5fc763dfb9efbbcdec57cdc81aba63
SHA51275eda47898406f391ea484685f026823dcec25c24b76b1cd31b7c3dc5f38b12e72acff8d2b5221c43ff8b6bb11f956a5147c0389aa0088fe04522776d1ab2081
-
Filesize
3.4MB
MD5b6080a4008ec849e25657b077f122318
SHA110ef785d015da5e7d004ebe1185f257b753b719f
SHA256300a17f61a1aeed819f4b0e139402eac2f5fa903600f197e63e1eb06fb0c3ffd
SHA512004ccb55e9e5ae57eef471ad53d2ca6ecec9a6db56ae35c8dc8045d348b6b066a349794afa189b74b65507fd6728009390ef7b7e948bea45ffe758ee2b27f55a