Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 22:58
Static task
static1
Behavioral task
behavioral1
Sample
9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9c38a8a1a32a471f7f969cc3eeb43a02
-
SHA1
75e831729706ed7f50d68337bf71efc4d7e347ae
-
SHA256
d77d6cdef6e906971ec74c6fe200bb954581fba04c08247381557c3ebae22cc8
-
SHA512
5da32a15c98562b413b0c62e887c21a49943680f984c2aaa9c5d4003ef867c5fa179cb490a00196d756ad3afa5bbf7ced76a2272026fa3e45d43ee7a76adddb9
-
SSDEEP
98304:+DqPoB5z1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPO1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3174) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2148 mssecsvc.exe 2140 mssecsvc.exe 2656 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-3d-59-ec-13-ac mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B50791CF-554A-42C6-8980-B9EE60161D0C}\0a-3d-59-ec-13-ac mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B50791CF-554A-42C6-8980-B9EE60161D0C} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B50791CF-554A-42C6-8980-B9EE60161D0C}\WpadDecisionTime = 302ffab689bbda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B50791CF-554A-42C6-8980-B9EE60161D0C}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-3d-59-ec-13-ac\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-3d-59-ec-13-ac\WpadDecisionTime = 302ffab689bbda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B50791CF-554A-42C6-8980-B9EE60161D0C}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-3d-59-ec-13-ac\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B50791CF-554A-42C6-8980-B9EE60161D0C}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2344 wrote to memory of 2176 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2176 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2176 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2176 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2176 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2176 2344 rundll32.exe rundll32.exe PID 2344 wrote to memory of 2176 2344 rundll32.exe rundll32.exe PID 2176 wrote to memory of 2148 2176 rundll32.exe mssecsvc.exe PID 2176 wrote to memory of 2148 2176 rundll32.exe mssecsvc.exe PID 2176 wrote to memory of 2148 2176 rundll32.exe mssecsvc.exe PID 2176 wrote to memory of 2148 2176 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9c38a8a1a32a471f7f969cc3eeb43a02_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2148 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2656
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57389bafd564190dd7549d1c30616d516
SHA128f35901cfa0f42a9adf77b186ce750a18d85736
SHA256d77ea687e621048e148e573d68d8f0f90b81c72d1da49e344b27edde64ba53d3
SHA512e9cef730d4963bc8fbb9bafc6f66bfd2f1dbf6425caae224f9d7ddb06bd778cb75f126b9c4d564189fd062f804c3813a45c6c56fc16f6379f6138fd42bb9ac79
-
Filesize
3.4MB
MD5f11f68e66d13ad8212897cc32adb0dce
SHA184d26b5f83eb688b66d8a6dbad17f76750aa0822
SHA256a7e92b68e90b891c9d41a00e827c2a965b4807717025be913d026e5dd3007699
SHA512996680d032f0cf9032d9a73aabd93f5cfc5c76eb25a4d9e9b507975813fd75ecd5e427ec0e4a10633895ea4c190c871392d07de948de6322e0b46bc63650cba3