Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 06:22
Static task
static1
Behavioral task
behavioral1
Sample
93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
93da20793dcecca1f9cbccd3b3de8ba1
-
SHA1
606b2f5cfd4296762de9b767342df97412fb7cf4
-
SHA256
6f73d23dc235b9255b394a96f5d01e4d0040b72b1b727d459885a1d92e6b5235
-
SHA512
87a729c025efdf011464256068ad253b6cfecf8d75e94512cf29d4bfb95b8f6068cf64fe48aced6ac01bf08a734f9765789470d5e57207354dcd85a6a5e8bd55
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:+DqPoBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3310) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1508 mssecsvc.exe 2888 mssecsvc.exe 3040 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadNetworkName = "Network 2" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\5a-38-e2-66-6c-a1 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionTime = 1027949b47b6da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecisionTime = 1027949b47b6da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-38-e2-66-6c-a1\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D8829A0F-3A71-4B6E-8834-94893B633852}\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2236 wrote to memory of 2076 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2076 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2076 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2076 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2076 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2076 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2076 2236 rundll32.exe rundll32.exe PID 2076 wrote to memory of 1508 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 1508 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 1508 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 1508 2076 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\93da20793dcecca1f9cbccd3b3de8ba1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1508 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3040
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2888
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5146997f5831cf6362171888ce06e795f
SHA1013161b55f6825a53424b56baba5503da124ec9c
SHA2564ba2c444ec2dc1e7c67be46d6bf1d7eb83a826e4524709d22f6551ea83f4b951
SHA51245064461a8ff356a4d8cf4591e56d263e1cae0198a1268dd71418ebf653814b36572f9440c62a3a64b124a64b12794b71a0d414f9174f5a530c2cd457b5ea648
-
Filesize
3.4MB
MD53c3f38487305188cc58893126b7492ba
SHA1fc9ac88842e4dde20e1134279773ee8885f0c185
SHA25695e451949bfe0fec72d454467e3c136cb4cf44de759cb7537ade03736447b219
SHA512274b654c15faf63bcfd368ad4f26c7812c8f7a0b42de492f6ee23c4f996292367dec6496c87d408d5f753d96d18f9e6f3af3f2cc0163c9636a7ca259aa2d8e3b