Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 06:58
Static task
static1
Behavioral task
behavioral1
Sample
5dc0a27073d77e7fcb31e6b5a5d18fde_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5dc0a27073d77e7fcb31e6b5a5d18fde_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5dc0a27073d77e7fcb31e6b5a5d18fde_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5dc0a27073d77e7fcb31e6b5a5d18fde
-
SHA1
780c0940d070b2ebc067d8873f05c20895e3cea1
-
SHA256
1865fd125de56bba74cf36e50f32b9b427c5743c9d57a7f583cc2c45245c5123
-
SHA512
e7ebccc55b9a4a31d6f563d0752c648fd588012a89a67758308691ba36e781649a01374052878bb725c6c6ca5b83dde2478ea250a6352fe32accabf300956f19
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626:SnAQqMSPbcBVQej/1INR
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3032) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1656 mssecsvc.exe 2576 mssecsvc.exe 2632 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\76-4f-3c-78-ce-a7 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadDecisionTime = 40eb273483aada01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7\WpadDecisionTime = 40eb273483aada01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1796 wrote to memory of 2288 1796 rundll32.exe rundll32.exe PID 1796 wrote to memory of 2288 1796 rundll32.exe rundll32.exe PID 1796 wrote to memory of 2288 1796 rundll32.exe rundll32.exe PID 1796 wrote to memory of 2288 1796 rundll32.exe rundll32.exe PID 1796 wrote to memory of 2288 1796 rundll32.exe rundll32.exe PID 1796 wrote to memory of 2288 1796 rundll32.exe rundll32.exe PID 1796 wrote to memory of 2288 1796 rundll32.exe rundll32.exe PID 2288 wrote to memory of 1656 2288 rundll32.exe mssecsvc.exe PID 2288 wrote to memory of 1656 2288 rundll32.exe mssecsvc.exe PID 2288 wrote to memory of 1656 2288 rundll32.exe mssecsvc.exe PID 2288 wrote to memory of 1656 2288 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5dc0a27073d77e7fcb31e6b5a5d18fde_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5dc0a27073d77e7fcb31e6b5a5d18fde_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1656 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2632
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58aa585b814a69a3fb24eec3154a5ced9
SHA171b5c24a794a3b7657c6188068dcbc17909ccd40
SHA2565a625c6c21379f75154204fa21e708ce9f9bbf316b68c9e97fd3a38929288a6c
SHA512c38a10f263b9069b461570ede72c892437e9efa1204de3930bb691473de30f0a264d288cf79714ffd504f728a782221e0439bacd13b81ecda27be36f14fa87e3
-
Filesize
3.4MB
MD5fe54c59b29dfa5dc511e66bcb7b10ae9
SHA18b0989fd5ae7f5dfe76cbcba5d5a7edbaf4e48e8
SHA256372052abe79214f4102a5bc9dacc87376bff591a838fc51af76f1389ee07621a
SHA51214cb0b620eed82f1363254903df7cff72799d28554eab893d918edada9dcb9c1f731307f9c46562d8c88e4fe14a1a585cc89d7c07318f477685fcfe7b2e85a78