Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 00:23
Static task
static1
Behavioral task
behavioral1
Sample
931dea998d0bb26885d709472d28feba_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
931dea998d0bb26885d709472d28feba_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
931dea998d0bb26885d709472d28feba_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
931dea998d0bb26885d709472d28feba
-
SHA1
84860e0c82e5969fa3db0d0f43a5656f2a8d39d2
-
SHA256
aa34f9d34716e12409d0f58a55343ffec04df461a6fb77290c660f1d91bf6b9b
-
SHA512
6fd1b3c843f620ad0b4d14cf470b85cd59add85aef1cfde8c16da65fa98e0daaca4eca03cfbb8bccb9c99531353799382918ff34f0088beb0623d7782c2c819d
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:TDqPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2068 mssecsvc.exe 2968 mssecsvc.exe 2708 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A26EEF17-590C-4F14-875A-1306F1E52191}\ba-04-6c-a5-d2-6c mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-04-6c-a5-d2-6c\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-04-6c-a5-d2-6c\WpadDecisionTime = 30d5c38415b6da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0039000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A26EEF17-590C-4F14-875A-1306F1E52191} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A26EEF17-590C-4F14-875A-1306F1E52191}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-04-6c-a5-d2-6c mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A26EEF17-590C-4F14-875A-1306F1E52191}\WpadDecisionTime = 30d5c38415b6da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A26EEF17-590C-4F14-875A-1306F1E52191}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A26EEF17-590C-4F14-875A-1306F1E52191}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-04-6c-a5-d2-6c\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2180 wrote to memory of 2120 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 2120 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 2120 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 2120 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 2120 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 2120 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 2120 2180 rundll32.exe rundll32.exe PID 2120 wrote to memory of 2068 2120 rundll32.exe mssecsvc.exe PID 2120 wrote to memory of 2068 2120 rundll32.exe mssecsvc.exe PID 2120 wrote to memory of 2068 2120 rundll32.exe mssecsvc.exe PID 2120 wrote to memory of 2068 2120 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\931dea998d0bb26885d709472d28feba_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\931dea998d0bb26885d709472d28feba_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2068 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2708
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2968
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD58c2a671109362f1293a96cd2e478a8df
SHA1fffb2803373f8adfd4b74e5f8e9423f0f932d3b6
SHA256427a68b20a9278d0f2eda838aaf0204963ffdf718964700596444c493d1b7af2
SHA51201dde99f237dfa5cf1a80a250d206b57b7fd182ff2fce018bb3a08ec22497472dc29a5f1a794b3112b5883eeb02e029dfc5dbe56d39e50e08612e9fdcc0cb42d
-
Filesize
3.4MB
MD5ff3fa197e5f401adcb08dc932cda8fa4
SHA120ab7aa3466e83cda553ba6b26bbc19311583329
SHA256e86ca351671dd3e28f0c71aea24d0df575c4dd89b56087189b6b1cdbd1895f1c
SHA512c607864043f235170c5aff3de3ade03518f8ac569288daf7ac9bbdc4e669eb71d98e775298ab8c8afee768a0049bf86de0c96bfc44d976344068cbab853d5789