Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-06-2024 06:48
Static task
static1
Behavioral task
behavioral1
Sample
97655b6c1416fed6149fbb57992635a3_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
97655b6c1416fed6149fbb57992635a3_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
97655b6c1416fed6149fbb57992635a3_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
97655b6c1416fed6149fbb57992635a3
-
SHA1
0a643d40db33634e38f05c4f8138665baa2bb513
-
SHA256
3cf245c76d050ff09af32a5b290a3c9d9565dda8265d21df0685397a53074e38
-
SHA512
0a3b9363a97ba46ba7e1c3c358c88e886c299c821ea7279014e51367bc0f6a78913d0eb8f2b49739610475e96cad6dcdeecc92f91308b404785f11f66717b21c
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626/v1rqMt/8uME7A4C:SnAQqMSPbcBVQej/1INRovB3R8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3190) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2368 mssecsvc.exe 3040 mssecsvc.exe 2640 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1\WpadDecisionTime = 206b5b5314b7da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadDecisionTime = 206b5b5314b7da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\6e-24-79-be-18-c1 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ec000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B6A9205D-C78B-482E-99A7-46CD2733068C}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-24-79-be-18-c1\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2904 2876 rundll32.exe rundll32.exe PID 2904 wrote to memory of 2368 2904 rundll32.exe mssecsvc.exe PID 2904 wrote to memory of 2368 2904 rundll32.exe mssecsvc.exe PID 2904 wrote to memory of 2368 2904 rundll32.exe mssecsvc.exe PID 2904 wrote to memory of 2368 2904 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\97655b6c1416fed6149fbb57992635a3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\97655b6c1416fed6149fbb57992635a3_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2368 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2640
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD594dd7786e9186a0448cb7d2a90cb987e
SHA1a1a31c02c43676a2d16edd68c7ad681a4d20271c
SHA256179ed5a281e356dc2d0fab485b5427942e8c6ce1d7435c49bcf704b4b855dcad
SHA51251cd7024c61c72c44072d51c040ccfc02a02c019ef91287e5939047166d46693cb52d37757cbe7d493429398c3cc7546cc09b9c2afe30d7b7430dba679f7b9d6
-
Filesize
3.4MB
MD554e9ae14fec1f46cc3cd61b0df41291c
SHA19e6d6bcdce3ff409185aa0c4a77358a6b472e90d
SHA256ef232df62ebca1d9f5b04a8af1f7637053f82dc8d340ea9193bd9b28f1b2ef82
SHA512a0cc2e34be634efeca7b827242f5179ce698011fb2b99b049d670625b6f4ae753ce10c6d2cd59cb3a84bd81ca890e86273a9a78b130af86ebcd6e03fe4764344