Analysis
-
max time kernel
93s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
06-06-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
99ad8aeda4eef76eb75a1a4b7323473d_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
99ad8aeda4eef76eb75a1a4b7323473d_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
99ad8aeda4eef76eb75a1a4b7323473d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
99ad8aeda4eef76eb75a1a4b7323473d
-
SHA1
920bb8782bfa9fd1613f3dd588c27ce367d9700c
-
SHA256
892aa85369aec7332bbf24998001a8b8ea8e5bb0ad97cc02d041991e25c0ebfa
-
SHA512
007aa0e7604ecf90a1f6b10566dd85353bb1a2ff586392a2eb1e66aba74e863442497f1098053e8a84be45a0240394ddc2c290824641af4af62eb00eb71be73f
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHh5vR5CAvg:zbLgddQhfdmMSirYbcMNgef0QB4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3196) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2188 mssecsvc.exe 2764 mssecsvc.exe 2696 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{745CDF4B-8EB7-4F01-AA1B-7FBAB3AD3F82}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{745CDF4B-8EB7-4F01-AA1B-7FBAB3AD3F82}\WpadNetworkName = "Network 2" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{745CDF4B-8EB7-4F01-AA1B-7FBAB3AD3F82}\d6-5b-55-e9-9b-6a mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-5b-55-e9-9b-6a\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{745CDF4B-8EB7-4F01-AA1B-7FBAB3AD3F82} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{745CDF4B-8EB7-4F01-AA1B-7FBAB3AD3F82}\WpadDecisionTime = e0c551baafb7da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-5b-55-e9-9b-6a\WpadDecisionTime = e0c551baafb7da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{745CDF4B-8EB7-4F01-AA1B-7FBAB3AD3F82}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-5b-55-e9-9b-6a mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-5b-55-e9-9b-6a\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2012 wrote to memory of 2364 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2364 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2364 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2364 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2364 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2364 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2364 2012 rundll32.exe rundll32.exe PID 2364 wrote to memory of 2188 2364 rundll32.exe mssecsvc.exe PID 2364 wrote to memory of 2188 2364 rundll32.exe mssecsvc.exe PID 2364 wrote to memory of 2188 2364 rundll32.exe mssecsvc.exe PID 2364 wrote to memory of 2188 2364 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99ad8aeda4eef76eb75a1a4b7323473d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\99ad8aeda4eef76eb75a1a4b7323473d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2188 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2696
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD596ade48aeaec022c4b097b23d9a7f721
SHA142b7aef0687901448b07d9cebf735c1aceb49cd2
SHA2563f9e73320e9c017abfedf726c9259f307110e24e945184bc9fb23cce029d696c
SHA512521712e6a962e33efbabd678c02316109a6b166908c5ba0ab96084f29204c0ec964ae4219ee8c60be7261c12d0cd298e8074c8a43955c712d3ead8397f8c2ef7
-
Filesize
3.4MB
MD556389647faf37d8c938d344af61e2baf
SHA1fc1b2eb144adba2b4eedb75d2cf80b1b0982a4fc
SHA256fce09976e7befb6472fe8f658d6234a948c00e860c757384dc69198cf713c5db
SHA51260597bcd70900557b4483a96254038682c4913aafe825ece9589066a395da2bdcc668ef840cccb689b8cf4e302817d0ee1da3f28242e75224de22474b1962b7e