Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
a20b24cffc7f39f8b9770622bce4fac6_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
a20b24cffc7f39f8b9770622bce4fac6_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a20b24cffc7f39f8b9770622bce4fac6_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a20b24cffc7f39f8b9770622bce4fac6
-
SHA1
5f94efb55dc739d410965dc8d04f6488fe644c10
-
SHA256
8eb1994a3284c0bf23db46611b9d425c73e7d3da7150773106e94783b804934a
-
SHA512
8199bc3e8a89dabf45c02f29693103c74a5c721fc6acf99c72a192d52e9d79ab4529445370363b72a2b8735defff08c14c4047dea4dff6d9ccda60de4bbaf083
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yA:+DqPe1Cxcxk3ZAEUadzR8y
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2665) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2092 mssecsvc.exe 2584 mssecsvc.exe 1908 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FB8A42F-EB9A-4AA7-8DEC-BDC0879369E9} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-f7-ef-12-bd-5b\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FB8A42F-EB9A-4AA7-8DEC-BDC0879369E9}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-f7-ef-12-bd-5b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FB8A42F-EB9A-4AA7-8DEC-BDC0879369E9}\46-f7-ef-12-bd-5b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-f7-ef-12-bd-5b\WpadDecisionTime = f0eaab0601bdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FB8A42F-EB9A-4AA7-8DEC-BDC0879369E9}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FB8A42F-EB9A-4AA7-8DEC-BDC0879369E9}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FB8A42F-EB9A-4AA7-8DEC-BDC0879369E9}\WpadDecisionTime = f0eaab0601bdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-f7-ef-12-bd-5b\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2072 wrote to memory of 2952 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2952 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2952 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2952 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2952 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2952 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2952 2072 rundll32.exe rundll32.exe PID 2952 wrote to memory of 2092 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2092 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2092 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2092 2952 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a20b24cffc7f39f8b9770622bce4fac6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a20b24cffc7f39f8b9770622bce4fac6_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2092 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1908
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD509955f5c8a9b171f8ab35d0638ada772
SHA1de5aa3c7c370bb0da07dc3c1005017c37d2f4bff
SHA25657bd7332eb81af59a39e72b0fcb63bc7066597ba31a4a52d8c1faf0240d3f11e
SHA512b88cbf801b00f1aa912496dffaef1a14eed455d5a32361c347086890f2b08fa75338aea607a09bed063c88ddaf4014ccd74787b049816e23acf3e475c8d0c9ef
-
Filesize
3.4MB
MD5c30669a39629363265e7f9e755ae99a2
SHA119ff8f6d093ca297e8194041888463f4f8c01b45
SHA25666627ffeba57f450c876618acde5ec7b39db514a52872c05bc716abd909620d2
SHA512182c5f2cd451861ec1d598ddd29bae51edc5067d2ae680b67ac67dca2125a845777faae7d390518e4de0cc6858d86a2c37cbea6df236be294e38ea722057e161