Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 13:51
Static task
static1
Behavioral task
behavioral1
Sample
5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5f6a324dca637003e4e3176a6f3e005a
-
SHA1
f0bccfb37e2a5afe27e79d9dcca65e239cc18f31
-
SHA256
6c92686a13c94ac170d887061a2d82bfb922b22d4aaeefb6665a811087ea85e9
-
SHA512
667e1fd45bce9fb31d763f4b2753a3af97bfd562bd58f05a32b718e7b2f3502b417d9f04a5afd03b7e225ea8a613a32ab9b2a66c5b1980d4e27f1db13387df90
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAu3R8yAH1plA:+DqPoBhz1aRxcSUDk36SAt3R8yAVp2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3335) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2864 mssecsvc.exe 2564 mssecsvc.exe 2404 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0142000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}\2a-2f-02-f8-be-dd mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2f-02-f8-be-dd\WpadDecisionTime = d0156bc5bcaada01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}\WpadDecisionTime = d0156bc5bcaada01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2395C772-A725-4CDB-8556-271BD9B61B9D}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2f-02-f8-be-dd mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2f-02-f8-be-dd\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2a-2f-02-f8-be-dd\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2868 wrote to memory of 2552 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2552 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2552 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2552 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2552 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2552 2868 rundll32.exe rundll32.exe PID 2868 wrote to memory of 2552 2868 rundll32.exe rundll32.exe PID 2552 wrote to memory of 2864 2552 rundll32.exe mssecsvc.exe PID 2552 wrote to memory of 2864 2552 rundll32.exe mssecsvc.exe PID 2552 wrote to memory of 2864 2552 rundll32.exe mssecsvc.exe PID 2552 wrote to memory of 2864 2552 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f6a324dca637003e4e3176a6f3e005a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2864 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2404
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5777caf590b80ec7f8d043d69d13eb3e8
SHA117ae4be358cb7923f7f161160d2210312a8b8146
SHA256257eea1f0b058dc5c3e8773d0491c87699d9612b89c1bacd4916c78e03661e5a
SHA512a8ca6bce5f5d52b0137dae595ee56ce95ee7d7eef143b160cfdf0ef4c037cc4804fe06d39c459b10584823e9cf01c2920e69fdc69ee3aebae831dddfdb7904e6
-
Filesize
3.4MB
MD59464efdb9950199ac4985f0db3305361
SHA10e7120281640859940fdec098c66b33efde1125b
SHA2565555abbc0d88b011af5b2c904f05c8db40bc52787e67be19ff7aad2c20beb45d
SHA512342915529130283aa5a1e7df193da0bff5258f8f799147051bfa9fb03701b7381707e7dcd7b3126c1f97c4d2e144b9dcc30c8e785ffabc3c40e35060126a1ee2