Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 10:18
Static task
static1
Behavioral task
behavioral1
Sample
9476d1e5e154653db14527d81b3a174c_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9476d1e5e154653db14527d81b3a174c_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9476d1e5e154653db14527d81b3a174c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9476d1e5e154653db14527d81b3a174c
-
SHA1
1e985a82ebb778859b778024a717bf986ac183ff
-
SHA256
63e143b51ac8e3c8fbea70721277c23591efa2f4a235da9fbcc6ef6ae4842831
-
SHA512
42b6d87dd3488095248532aa0ac94ca80b4f70f57b5305a9052da99cce6b0d76c1bb573b2134e0550fe93c9fd2a8f31472d06651654e9a145e812ab7521d0544
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRuEau3R8yAH1plAH:+DqPoBhz1aRL3R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3122) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 908 mssecsvc.exe 2156 mssecsvc.exe 2632 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\02-e5-93-0e-bb-31 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadDecisionTime = 40990b9d68b6da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31\WpadDecisionTime = 40990b9d68b6da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0122000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2844 wrote to memory of 1244 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 1244 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 1244 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 1244 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 1244 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 1244 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 1244 2844 rundll32.exe rundll32.exe PID 1244 wrote to memory of 908 1244 rundll32.exe mssecsvc.exe PID 1244 wrote to memory of 908 1244 rundll32.exe mssecsvc.exe PID 1244 wrote to memory of 908 1244 rundll32.exe mssecsvc.exe PID 1244 wrote to memory of 908 1244 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9476d1e5e154653db14527d81b3a174c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9476d1e5e154653db14527d81b3a174c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:908 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2632
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b2e0aa14a73ab71dcf04a77f35689c38
SHA188146bc3aa85cf243ce3d423a3885fbc3cd0a08e
SHA256d9a1bd16dc684d82a44c9e9527fcb5e284618fca91b260a70059bc9a3ec382fb
SHA51272980f45714174d070383e930848ebc1c6f1c5ab9b17e98cb207573b96002d78047e2a041ef2ae702d3feff59b5cedc0f8624b41fbf22158d6659c7142c17708
-
Filesize
3.4MB
MD5df94a40a6a8b12834abbd2de6e67387c
SHA1c97eb8d95fdd8aa93969f06c3c62b0ddcd248e83
SHA256fe027f20645c585d8224213af9d4e74da76448ce821552ae337f213e6878ea93
SHA512522f2df1ea07417c193d0f05f086b01489985e46c58d9cf4449a4dbdb3aa0516dcd7773e613fcbe5382d41f7dd54d7b03cbc7ad40ff893c0d594b7a621dc5291