Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 13:22
Static task
static1
Behavioral task
behavioral1
Sample
5f4c3473fd212376548903295eb8a4e2_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5f4c3473fd212376548903295eb8a4e2_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
5f4c3473fd212376548903295eb8a4e2_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5f4c3473fd212376548903295eb8a4e2
-
SHA1
cb41c7d8e759feed8d8752d01c447d20f486369e
-
SHA256
5dc870dcb3aa373a6d019fc664ac9301a47d38747494e1926ab7830c57136b1a
-
SHA512
127d9582d805fe3cd82a03fdeb2f032fb2a2a5e53d8d7c9744908e64db0db890d7914a34526036818b76d64a86979feb5dbb857f6687b61acb824ac8fa5d7f97
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yA:+DqPe1Cxcxk3ZAEUadzR8y
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3326) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2208 mssecsvc.exe 2684 mssecsvc.exe 2732 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-ce-c5-89-bf-1d\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A022E48-48EE-4A71-A9C9-AE8CC255899E}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A022E48-48EE-4A71-A9C9-AE8CC255899E}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A022E48-48EE-4A71-A9C9-AE8CC255899E}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A022E48-48EE-4A71-A9C9-AE8CC255899E} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-ce-c5-89-bf-1d mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-ce-c5-89-bf-1d\WpadDecisionTime = c0b723d9b8aada01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A022E48-48EE-4A71-A9C9-AE8CC255899E}\WpadDecisionTime = c0b723d9b8aada01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8A022E48-48EE-4A71-A9C9-AE8CC255899E}\26-ce-c5-89-bf-1d mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-ce-c5-89-bf-1d\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2220 wrote to memory of 1672 2220 rundll32.exe rundll32.exe PID 2220 wrote to memory of 1672 2220 rundll32.exe rundll32.exe PID 2220 wrote to memory of 1672 2220 rundll32.exe rundll32.exe PID 2220 wrote to memory of 1672 2220 rundll32.exe rundll32.exe PID 2220 wrote to memory of 1672 2220 rundll32.exe rundll32.exe PID 2220 wrote to memory of 1672 2220 rundll32.exe rundll32.exe PID 2220 wrote to memory of 1672 2220 rundll32.exe rundll32.exe PID 1672 wrote to memory of 2208 1672 rundll32.exe mssecsvc.exe PID 1672 wrote to memory of 2208 1672 rundll32.exe mssecsvc.exe PID 1672 wrote to memory of 2208 1672 rundll32.exe mssecsvc.exe PID 1672 wrote to memory of 2208 1672 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f4c3473fd212376548903295eb8a4e2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5f4c3473fd212376548903295eb8a4e2_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2208 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2732
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD51e49ec3322261d919e0070973b634f0f
SHA14cc76abc0a88952478c079dd0d2e0b33a32b82ea
SHA25697eda67ce9c099ec7782170d6aed3103e87d23778adab79bf8cfdd52c3d0d965
SHA512b3e01e2e2a38e93eebfdfc24240751e3ba650ee0715ee1fe586acee77d6e31dd9a3821875c4e61647d016650145b189ced3e753e0828856d12a8bd991084a9ed
-
Filesize
3.4MB
MD5e1caa5bc7400f440ab84f95df6569fdf
SHA15e0a8b91fb4d62b596cc7b94e69c61514af3457a
SHA2569179b360e2a699779a60f4c4a76868a17c3556b510016f94190e3145615edd33
SHA512128163b5ac10fa5cda1cc24b1a48b4eb7a8141f574fc1227ce569e4b89a90b3e2104a7194a31acf280db36945d01e8d2444a1b52c54753a5fd3a5432ce760320