Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 07:18
Static task
static1
Behavioral task
behavioral1
Sample
9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9fdf1f2ad7cd5225a57c91e333de2f44
-
SHA1
4651877bfa78921e926e19f655676c6025f4a747
-
SHA256
f6167721226b978b2225c31a8d9f94833de9555cf83186fff8970a7c41043fd4
-
SHA512
35c56b13c14ed3159e8bcd72cccb5bfd4c6240448c24338c4c6ac8d2562f551e4d0a15d3a449659463cfb507c28d75422c5d6cc22c263f1d8f1f8c9e960d8ba9
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWi593R8yAVp2H:TDqPe1Cxcxk3ZAEUizR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3313) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2140 mssecsvc.exe 2656 mssecsvc.exe 2784 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecisionTime = c0c099bd98bcda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\76-01-0c-0e-65-4b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecisionTime = c0c099bd98bcda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3020 wrote to memory of 3044 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 3044 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 3044 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 3044 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 3044 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 3044 3020 rundll32.exe rundll32.exe PID 3020 wrote to memory of 3044 3020 rundll32.exe rundll32.exe PID 3044 wrote to memory of 2140 3044 rundll32.exe mssecsvc.exe PID 3044 wrote to memory of 2140 3044 rundll32.exe mssecsvc.exe PID 3044 wrote to memory of 2140 3044 rundll32.exe mssecsvc.exe PID 3044 wrote to memory of 2140 3044 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2140 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2784
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD539ba95f0b586a2ef517bb30c2c4a54db
SHA19ab4814d46a4423a560db516ecceaebe651ffa8b
SHA2563ba8288b842ff843cc7e4070614a8fa505e1ef9a1665bc8927e54b4dd5fd012c
SHA5129f335276ed609c0d406bc7d5ef1a59f8bb8ca352465d67747b4fa7ff7a188f5555323e5ce3d30833a3919e6fd86219d64a6ccbc955cd269fb953c02f7a77b29d
-
Filesize
3.4MB
MD59ec7a921022993aaabd0f0937f5194da
SHA153db809fedaa756916df059b8c73b48ae76d2ce6
SHA256967658e37edaa8aea880275da688ede7dc01b65bd83ae06e313d673c0066bed7
SHA512497da606fadf43aadbf581cff77342c57c1dc7139814e122da842fa579c3b5ac41768b4e345f9d676c706ea16faf42f3cbb86354f792b238e29837b15103b308