Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 20:09
Static task
static1
Behavioral task
behavioral1
Sample
a224f55dd526688e4a378e8b7c5c147b_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a224f55dd526688e4a378e8b7c5c147b_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a224f55dd526688e4a378e8b7c5c147b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a224f55dd526688e4a378e8b7c5c147b
-
SHA1
0ecc4f4e6c3b32466fc52ccad4694c9fa243b612
-
SHA256
bb9d030583fc0fd55a9ce8bf09176eec01f950512f10951529f88ebbe7ac8d2b
-
SHA512
06df1063c05b3ba1fb4c42b480a98879ef0de952a70776986652040f06a54fed8cb36c8cbe1f793c90521e6a71f4e8ad66c1bafbc2ae8e30045431eb9593e804
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG8Y/L9RZ:SnAQqMSPbcBVQejf/L9RZ
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3123) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2024 mssecsvc.exe 2080 mssecsvc.exe 2604 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E625DAF-86A2-4D66-8FA4-D56516B5073F} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E625DAF-86A2-4D66-8FA4-D56516B5073F}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E625DAF-86A2-4D66-8FA4-D56516B5073F}\72-c6-2e-26-bc-6a mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-c6-2e-26-bc-6a\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E625DAF-86A2-4D66-8FA4-D56516B5073F}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-c6-2e-26-bc-6a mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-c6-2e-26-bc-6a\WpadDecisionTime = d0ed947d04bdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-c6-2e-26-bc-6a\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0065000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E625DAF-86A2-4D66-8FA4-D56516B5073F}\WpadDecisionTime = d0ed947d04bdda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2E625DAF-86A2-4D66-8FA4-D56516B5073F}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 236 wrote to memory of 1648 236 rundll32.exe rundll32.exe PID 236 wrote to memory of 1648 236 rundll32.exe rundll32.exe PID 236 wrote to memory of 1648 236 rundll32.exe rundll32.exe PID 236 wrote to memory of 1648 236 rundll32.exe rundll32.exe PID 236 wrote to memory of 1648 236 rundll32.exe rundll32.exe PID 236 wrote to memory of 1648 236 rundll32.exe rundll32.exe PID 236 wrote to memory of 1648 236 rundll32.exe rundll32.exe PID 1648 wrote to memory of 2024 1648 rundll32.exe mssecsvc.exe PID 1648 wrote to memory of 2024 1648 rundll32.exe mssecsvc.exe PID 1648 wrote to memory of 2024 1648 rundll32.exe mssecsvc.exe PID 1648 wrote to memory of 2024 1648 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a224f55dd526688e4a378e8b7c5c147b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a224f55dd526688e4a378e8b7c5c147b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2024 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2604
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2080
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD585f159ef2b23af3464c15120bc50f3b5
SHA10c0e3371da82e6f1e58fe3c106e83bb2a8ed3066
SHA256fb12bdcdee97e89b121d4c10f368f0283e88a071ffbafea11c612405f237bb71
SHA512ae75a0962eb4d73d425075b1a68b1b8952ea35aa44b0c5372e35d1cb3bccdf3e7b211ef2983a11d884c6bf57e6523e548ff80e24270703fb47b306767b55c05f
-
Filesize
3.4MB
MD5da515bbd80011c8497b37e9e676432fd
SHA1237c4896417a5778109b5a88cc63877012029a68
SHA256e3fae9abafdefdb33a2bc9cf27cb6a3d60f3ccf922448b1726a79f5e99cdd1aa
SHA512195a87b8096753993567431db670ba5cde8851334da1ee08cfdd128001f11700acd63a126a3a6b6118d9b87dadfa773945370d21417d5580e5c4644f8a3b458a