Analysis
-
max time kernel
113s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
9706a91b71d6469eee7460c4fe269cd7_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
9706a91b71d6469eee7460c4fe269cd7_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
9706a91b71d6469eee7460c4fe269cd7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9706a91b71d6469eee7460c4fe269cd7
-
SHA1
ac9d010f4350f12ddb11ad027086939d13ebd6df
-
SHA256
6b554dcb67e00574995e5ba2edd00f3326c269cc37fae2ac9487de0fc64fd2f2
-
SHA512
1b011ebe840269139465db20b15d4a7d6cc2340dcd8b78d2b03def9e8af8a3bc31e55cf6f0bbb6a7e9ce3d3a700831864407bdc0348b5ad24017cce6f54b060f
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0EE7A4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBVZ8yAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3220) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2316 mssecsvc.exe 2656 mssecsvc.exe 2508 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{02FFA379-EAE0-4C23-A05C-D513EEABB480}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{02FFA379-EAE0-4C23-A05C-D513EEABB480}\ca-02-5b-62-74-e4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-02-5b-62-74-e4\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{02FFA379-EAE0-4C23-A05C-D513EEABB480}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{02FFA379-EAE0-4C23-A05C-D513EEABB480} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0098000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{02FFA379-EAE0-4C23-A05C-D513EEABB480}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{02FFA379-EAE0-4C23-A05C-D513EEABB480}\WpadDecisionTime = 40e903dff1b6da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-02-5b-62-74-e4 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-02-5b-62-74-e4\WpadDecisionTime = 40e903dff1b6da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ca-02-5b-62-74-e4\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1368 wrote to memory of 2356 1368 rundll32.exe rundll32.exe PID 1368 wrote to memory of 2356 1368 rundll32.exe rundll32.exe PID 1368 wrote to memory of 2356 1368 rundll32.exe rundll32.exe PID 1368 wrote to memory of 2356 1368 rundll32.exe rundll32.exe PID 1368 wrote to memory of 2356 1368 rundll32.exe rundll32.exe PID 1368 wrote to memory of 2356 1368 rundll32.exe rundll32.exe PID 1368 wrote to memory of 2356 1368 rundll32.exe rundll32.exe PID 2356 wrote to memory of 2316 2356 rundll32.exe mssecsvc.exe PID 2356 wrote to memory of 2316 2356 rundll32.exe mssecsvc.exe PID 2356 wrote to memory of 2316 2356 rundll32.exe mssecsvc.exe PID 2356 wrote to memory of 2316 2356 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9706a91b71d6469eee7460c4fe269cd7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9706a91b71d6469eee7460c4fe269cd7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2316 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2508
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD52e395ce3d9579e3af489ce3ed72b7f1f
SHA1e8ae8534e1b938e9615678693cc2526f740c6767
SHA2566c1af9ec13b3cb0661bce252046f4fc528f3144329aabe82c069c3ff801f7d67
SHA512550b242dfa26b9eb30bea2c458176dad5efad99ec5e791b6a3d0d1ce4e72a361a2025fd644b7cb069829ab90fce356fb3029c2228ae3f52f13dc887f58d0840c
-
Filesize
3.4MB
MD579ddcfa88da7f0d77dacd228f7dfc55c
SHA1cd411e2460f2028c80625977fae853eb2bd883ed
SHA2566d1d6a1ec293a0194b1e5bffd8cc742e0af7a958cafbc581995c7cf016bdabbe
SHA51278c747efa63dc48a5d61bc11d6988c6768c16ddf4f79dd44c827eb6cfea8a5c3ede3ce9302d3e2c6ba036552b2aa224545e80e6899067140a5910fd7036fb5ef