Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 17:43
Static task
static1
Behavioral task
behavioral1
Sample
92a5bf01f9a7c4558ac9b24cfa85f29c_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
92a5bf01f9a7c4558ac9b24cfa85f29c_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
92a5bf01f9a7c4558ac9b24cfa85f29c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
92a5bf01f9a7c4558ac9b24cfa85f29c
-
SHA1
d516f680006e70f80b5674f93d63ae1b80e6e6f5
-
SHA256
a2a8729f73ab7fef657cd15316818606548f802903589df70dafd405f15d7b5e
-
SHA512
c05b2e68debf06f531f3889904a982a6dc29c39a2223cb83a45597597220a1f7a07d4d464e9f0e0995d87c3c7e4c3760e515f84cb4af425e6b928c504af18921
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo4R8:TDqPoBhz1aRxcSUDk34R8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3158) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2032 mssecsvc.exe 2628 mssecsvc.exe 2624 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c\WpadDecisionTime = f06c649cddb5da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadDecisionTime = f06c649cddb5da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\8e-65-03-b4-91-1c mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2116 wrote to memory of 2192 2116 rundll32.exe rundll32.exe PID 2116 wrote to memory of 2192 2116 rundll32.exe rundll32.exe PID 2116 wrote to memory of 2192 2116 rundll32.exe rundll32.exe PID 2116 wrote to memory of 2192 2116 rundll32.exe rundll32.exe PID 2116 wrote to memory of 2192 2116 rundll32.exe rundll32.exe PID 2116 wrote to memory of 2192 2116 rundll32.exe rundll32.exe PID 2116 wrote to memory of 2192 2116 rundll32.exe rundll32.exe PID 2192 wrote to memory of 2032 2192 rundll32.exe mssecsvc.exe PID 2192 wrote to memory of 2032 2192 rundll32.exe mssecsvc.exe PID 2192 wrote to memory of 2032 2192 rundll32.exe mssecsvc.exe PID 2192 wrote to memory of 2032 2192 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\92a5bf01f9a7c4558ac9b24cfa85f29c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\92a5bf01f9a7c4558ac9b24cfa85f29c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2624
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD539defd2d02a0e1d9e961738e65c02696
SHA1b1e9e93ce978ed77952a13248ecaf10e147f4f77
SHA2562fb740f05a5efa0e1d4449456a96e81d4818f812ae06d6ce58e6fb83b1aaa26f
SHA512fe955354b4bf51731306299f6f00e7d6f385acd8189e5e2103d8bd1e2ba4e8ac6a03845bcf8c33793cc5e752afe5d539037ca19746376a2d1b8002a4a414d254
-
Filesize
3.4MB
MD509df6f00ae6b3e8d064f249aa0927967
SHA1c90a841db653b784e2165e05816ecdde78b7ecf2
SHA2565fe3d02dcde78bd9aa552217ebfdb6c386ef1342d004b920dded41773878269c
SHA5121a224329ac8682e6e1a5aa432742e8095a9ead4e89f1e6b54001807ac2543656920bfae8fa592f0bd2fdbf1c8290f4d07458c42234e755d94703f69121dd9476