Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 17:33
Static task
static1
Behavioral task
behavioral1
Sample
95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
95b2c12e9afeaed5fbe056e49fc1eaaa
-
SHA1
223e0d98f84870b2a7d925b62eba5dcc64da6c82
-
SHA256
285a80c30114cd0759ce092586eb9d3ac5ebdeb01e2bdc062a74b7c0a9a6c45a
-
SHA512
6404dca3869606d3f39a0997040320755094f4a6bc11c5d470cf444e3f3089037a8f89985788a68d39a52fa4aa7c6058b82618fc253604c1b585ffebfc8d00f5
-
SSDEEP
98304:+DqPoBhzBRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPefxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3088) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2460 mssecsvc.exe 2704 mssecsvc.exe 2772 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBEE84DB-45DF-4703-AD8D-AB510DA632D1}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBEE84DB-45DF-4703-AD8D-AB510DA632D1}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-d9-22-a3-59-52 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBEE84DB-45DF-4703-AD8D-AB510DA632D1}\96-d9-22-a3-59-52 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-d9-22-a3-59-52\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBEE84DB-45DF-4703-AD8D-AB510DA632D1} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBEE84DB-45DF-4703-AD8D-AB510DA632D1}\WpadDecisionTime = 40113249a5b6da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-d9-22-a3-59-52\WpadDecisionTime = 40113249a5b6da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-d9-22-a3-59-52\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EBEE84DB-45DF-4703-AD8D-AB510DA632D1}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2268 wrote to memory of 804 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 804 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 804 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 804 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 804 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 804 2268 rundll32.exe rundll32.exe PID 2268 wrote to memory of 804 2268 rundll32.exe rundll32.exe PID 804 wrote to memory of 2460 804 rundll32.exe mssecsvc.exe PID 804 wrote to memory of 2460 804 rundll32.exe mssecsvc.exe PID 804 wrote to memory of 2460 804 rundll32.exe mssecsvc.exe PID 804 wrote to memory of 2460 804 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\95b2c12e9afeaed5fbe056e49fc1eaaa_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:804 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2460 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2772
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2704
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a2a3e10eb73eff854be52d6647698f70
SHA1f1162eb2213ef084bbc0e75a68e4654f2a0efed5
SHA25682d4d7a9a740f3c56c3c71d6d65af9ffe80a7f0839bba5af4d27135a8d3b6609
SHA51263bfaea06170adc82919cc1be74254035b9dc317b3b8890a63a3622b533cbc8835bb3e0147748397da07cec657157f22b0a84ee676b80bad0d18232fbfe157bd
-
Filesize
3.4MB
MD5a21d2a470b89d4c1916edd49e615e941
SHA1b31f148803f88330c870659a7b9a173aa422baae
SHA256438603dde75732b4f81fc31bac2de414a8060601c34c517c5b99f3f180c989cc
SHA5122a928d33eb8e6d4849234a3c6ba0b7a2f12cdedef39fdc26c98ac532772eaf4f2448571afd345d0780cc5a666b7e77cbb5872defe8b89a00c2fc9650158e719d