Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 10:01
Static task
static1
Behavioral task
behavioral1
Sample
5e79b8fd795d0477a8cb667aaf5be84e_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5e79b8fd795d0477a8cb667aaf5be84e_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5e79b8fd795d0477a8cb667aaf5be84e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5e79b8fd795d0477a8cb667aaf5be84e
-
SHA1
37936a4683f3bff45a755cba139da3b00f87bab3
-
SHA256
e440a0d0eb8ad565506d1eedd833b4f696ada45c8eb2238da44ed41b717404f4
-
SHA512
0736cf17551eed327535c321b83696ee1465ee8c9fd5d719e5cb192027d865bddb7ee9f609350797a95c10af8ae0baaddd790948e817d5b6fd985eb3cee52bf5
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SA:TDqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3240) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1016 mssecsvc.exe 2884 mssecsvc.exe 2680 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-d2-84-98-05-51\WpadDecisionTime = 908302a39caada01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A}\12-d2-84-98-05-51 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-d2-84-98-05-51\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-d2-84-98-05-51 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-d2-84-98-05-51\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{299F6BB7-9855-4518-9AA0-9B4CF3296C4A}\WpadDecisionTime = 908302a39caada01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2124 wrote to memory of 2184 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 2184 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 2184 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 2184 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 2184 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 2184 2124 rundll32.exe rundll32.exe PID 2124 wrote to memory of 2184 2124 rundll32.exe rundll32.exe PID 2184 wrote to memory of 1016 2184 rundll32.exe mssecsvc.exe PID 2184 wrote to memory of 1016 2184 rundll32.exe mssecsvc.exe PID 2184 wrote to memory of 1016 2184 rundll32.exe mssecsvc.exe PID 2184 wrote to memory of 1016 2184 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e79b8fd795d0477a8cb667aaf5be84e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5e79b8fd795d0477a8cb667aaf5be84e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1016 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2680
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57ecbd2aaae989b4d8e4828634afd05f3
SHA12dac984f34ce9b8a33fcbcd5582ca2b5998851e3
SHA256f61a328b3c0f7c302f1ae2aa5035805477f72ca43d3426fcc263f5598763e84b
SHA512a922dfc44ac2d4450cd5602fb55cb44a9878c0f0ebeedd0ee664985b833eac2c8a44ce01f43593ebce2f86e1cc1aa38dedd33f64b3f374475f60f331b0df27c5
-
Filesize
3.4MB
MD55df060c882b909cfe7f14cb151e38e65
SHA114c6a5afed8963b4e98399f8b890a86e527f0e98
SHA256c22aca25405025854efd5eeb9ff4c8e42dde87110de9b34f94502c5bc31020b9
SHA5121e8e600119f3a615a7a9c90851e9a42fab787fbde5e61b3d7d01fea09eeb920de32840fd82e568da5343e94283f66e8440d7d82eb628d905841a5c6ab8ca330a