Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 16:36
Static task
static1
Behavioral task
behavioral1
Sample
9b5414fe2be2c2a4db4a27214c5ce934_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9b5414fe2be2c2a4db4a27214c5ce934_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
9b5414fe2be2c2a4db4a27214c5ce934_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9b5414fe2be2c2a4db4a27214c5ce934
-
SHA1
fb3ef9a47e234c83796099bef5d2fa0d86b0ec38
-
SHA256
391fe9571f240be81bcc5df90d867871bb248d24cd0c4633c240e61c8ad8dd1f
-
SHA512
f0f4514f66b3c48443aef62b7221bca406e5b3c2078f04a2f2002d2f1a2ea51d543b7a078dd407ff1a3db0c0a6bb52caa5c7049ff2f694537ab52010f71700d0
-
SSDEEP
98304:+DqPoBhz1aRxcSUNk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Cxcnk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2560 mssecsvc.exe 2684 mssecsvc.exe 2604 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecisionTime = 30b6d66054bbda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\WpadDecisionTime = 30b6d66054bbda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-31-e6-b0-02-01\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C57B559-8C32-4399-91FF-80093C13E1AC}\3a-31-e6-b0-02-01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2456 wrote to memory of 1624 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1624 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1624 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1624 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1624 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1624 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1624 2456 rundll32.exe rundll32.exe PID 1624 wrote to memory of 2560 1624 rundll32.exe mssecsvc.exe PID 1624 wrote to memory of 2560 1624 rundll32.exe mssecsvc.exe PID 1624 wrote to memory of 2560 1624 rundll32.exe mssecsvc.exe PID 1624 wrote to memory of 2560 1624 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b5414fe2be2c2a4db4a27214c5ce934_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9b5414fe2be2c2a4db4a27214c5ce934_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2560 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2604
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5e96dd428adce6fca4f43709adf2da4ed
SHA102836566321980602ace73eadf641b9ad20f760c
SHA256635880bbafbb117393ee80732defcc83b7183a7b37bd194e8dd008cacb51d86d
SHA512b591b1c460835fd9c2f557483da84ca022e698ce73fb256f80b168d987a396d28036bc0717a160f03d764972e6a9d3e9130d07395706001261778275e75b0e19
-
Filesize
3.4MB
MD5f2afae168a37518afb269e08fb261117
SHA17146e665185a3c340e0ca2bcddeaa0f76783fdab
SHA256e0311d7b25a0c2fe5b7977d6170f9a21f9b473f32e508c9541d1367661b52cec
SHA512dee0c03f42005a0c2972b271359fcc770e59832b08d9686881e7f93d00af1d01b419245c5d466579fe3bd33323f879425a025dc0492f23efe5a577ed0e2d2780