Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 21:48
Static task
static1
Behavioral task
behavioral1
Sample
a6bb8f21546c00b09a06e3401f3ee8e7_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a6bb8f21546c00b09a06e3401f3ee8e7_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a6bb8f21546c00b09a06e3401f3ee8e7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a6bb8f21546c00b09a06e3401f3ee8e7
-
SHA1
f12cb293494c713cd4224e2bf1db3b968288a20e
-
SHA256
671f4737d788a6a7b5fb7b2c04fd9e69473d8de8b9e1a2f2b2eeb75322cdfb57
-
SHA512
07bd5f4aa30c3d9ff45320626024a126742561ba630b2d2c69732acf1b5dbfc075f9baa643fc0bec15ccee28df0f5cc8e54f319dfcb741665b7fdcee94cf9b2e
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8:+DqPe1Cxcxk3ZAEUadzR8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3166) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1700 mssecsvc.exe 2620 mssecsvc.exe 2728 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5EDDF476-43FB-43FA-9D71-9C1361D02203} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5EDDF476-43FB-43FA-9D71-9C1361D02203}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-66-71-aa-0a-5d\WpadDecisionTime = 3031f984dbbdda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-66-71-aa-0a-5d mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-66-71-aa-0a-5d\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-66-71-aa-0a-5d\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5EDDF476-43FB-43FA-9D71-9C1361D02203}\WpadDecisionTime = 3031f984dbbdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5EDDF476-43FB-43FA-9D71-9C1361D02203}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5EDDF476-43FB-43FA-9D71-9C1361D02203}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5EDDF476-43FB-43FA-9D71-9C1361D02203}\6e-66-71-aa-0a-5d mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2176 wrote to memory of 2204 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 2204 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 2204 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 2204 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 2204 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 2204 2176 rundll32.exe rundll32.exe PID 2176 wrote to memory of 2204 2176 rundll32.exe rundll32.exe PID 2204 wrote to memory of 1700 2204 rundll32.exe mssecsvc.exe PID 2204 wrote to memory of 1700 2204 rundll32.exe mssecsvc.exe PID 2204 wrote to memory of 1700 2204 rundll32.exe mssecsvc.exe PID 2204 wrote to memory of 1700 2204 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6bb8f21546c00b09a06e3401f3ee8e7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6bb8f21546c00b09a06e3401f3ee8e7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1700 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2728
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD564db244c8798dca9f01eb9bf2af3d270
SHA1ce2b6de66cf42ee926812dd5efbc9dd6ffdf39fa
SHA256e516678b8a98552bdb62532737a087b7e92674358d9a0aa1d9d2e853ddc8879a
SHA512138d9f46e844e162d4419ba75e7ebb5958c3e2e6175c2ffd33f8b094ce8816d223f8979f82952fb26b2981e10031d77a81567a9687a335500a90d400e3972a26
-
Filesize
3.4MB
MD570e3273a2cf7fa7da9831d3f9966b6d5
SHA146f15d6844d44571ddc32d14a1cd0b60e1c28a5c
SHA256efc32ad7e0d5f9d866ff78689bdea877ca1746a756deb470c6d3258b64237a2b
SHA5120de9f16e33d397b6a1809eed33c7dce3fb9098864bdff765c6278bd1456bc9f3eb6bd47684626f93357567c145f67c2981f8e99f73e0a8cb1caea4a4ca8d5979