Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 16:11
Static task
static1
Behavioral task
behavioral1
Sample
9ec3170c7181621e1f861af2a4ecda6b_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9ec3170c7181621e1f861af2a4ecda6b_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9ec3170c7181621e1f861af2a4ecda6b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9ec3170c7181621e1f861af2a4ecda6b
-
SHA1
17b2d2e917700590c8d6d935a911e4a1cb20e500
-
SHA256
6ae6c7e5c248bf15f16f50200591b49fee5a967ee6923a7a070c487edef7ce36
-
SHA512
e9811e4245a93b6f33b7c2a51554febcfd9c048c5def7cdef428ab5f283464544f327622a835410206d6b7bd2a479a6865081684f44c9de946afd0020fd4eadf
-
SSDEEP
98304:+DqPoBhz1/RxcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPe1pxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3233) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1696 mssecsvc.exe 2600 mssecsvc.exe 2528 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A923B1D-C92F-45D4-9F9F-E7435FE5ECBE}\WpadDecisionTime = 102532181abcda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5a-bd-a4-4e-e1 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0086000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A923B1D-C92F-45D4-9F9F-E7435FE5ECBE} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5a-bd-a4-4e-e1\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A923B1D-C92F-45D4-9F9F-E7435FE5ECBE}\fe-5a-bd-a4-4e-e1 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A923B1D-C92F-45D4-9F9F-E7435FE5ECBE}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A923B1D-C92F-45D4-9F9F-E7435FE5ECBE}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0A923B1D-C92F-45D4-9F9F-E7435FE5ECBE}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5a-bd-a4-4e-e1\WpadDecisionTime = 102532181abcda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-5a-bd-a4-4e-e1\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2244 wrote to memory of 2052 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2052 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2052 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2052 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2052 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2052 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2052 2244 rundll32.exe rundll32.exe PID 2052 wrote to memory of 1696 2052 rundll32.exe mssecsvc.exe PID 2052 wrote to memory of 1696 2052 rundll32.exe mssecsvc.exe PID 2052 wrote to memory of 1696 2052 rundll32.exe mssecsvc.exe PID 2052 wrote to memory of 1696 2052 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ec3170c7181621e1f861af2a4ecda6b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9ec3170c7181621e1f861af2a4ecda6b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1696 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2528
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD535ecbdb339259c32061e266b21044e46
SHA176cf2b8db383c21a4d75831fcbeb4f8117c5b117
SHA256eee04d5e53f7e656af273c1e67ec59fd17bf8f6a4826f53683f803e6347d13bb
SHA51223540df035bb101d50a0cf1de4ac2875e9cbaaf9ab18ce2a4af6f7c94e13d9a94af6503620c87bfe6283da9e86c0b19e0fb378ccb8fd4785e707938721fe209f
-
Filesize
3.4MB
MD5824625f642157acd1ec61065a88dcbb8
SHA198c8c4af6e320ad58b59a062819eed61e87eb1f1
SHA256bbccf5138be62684e4fba25f68beb39767a95ef7def084ee67e8baeae5c3423a
SHA512e5c646ba68d6e5efd8d03b1aca2f5bdd6cd6ac33b48765a222c584b596a9320bba56b5ebbec827fcde4f97e8bcab12202f1cd472111e0bbc5173b5dd926bf6ba