Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 21:52
Static task
static1
Behavioral task
behavioral1
Sample
a6be621dee55c1f80332d68ad4853cd3_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a6be621dee55c1f80332d68ad4853cd3_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a6be621dee55c1f80332d68ad4853cd3_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a6be621dee55c1f80332d68ad4853cd3
-
SHA1
3681f967a87ab6c3b07dcd9aacf9da30adeb8272
-
SHA256
53a43ff0c9043a537995558a6ad94dd9a41668c1f5cd4d195db7fbf2b066aa09
-
SHA512
1cf81fcd97c7ada68cd596d22a66a28975ba3c7a852e731c22cc0640c5d884a773143acb74ebbddadb1d856f9580665c605f7c68ca6d9faaa794268356acb444
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6Zdw:+DqPoBhz1aRxcSUDk36Zd
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3107) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2216 mssecsvc.exe 2768 mssecsvc.exe 2636 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0063000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-c8-c6-15-98-02\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-c8-c6-15-98-02\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{78B4C484-519F-49DE-868B-A495AC5EA28C}\WpadDecisionTime = 50228ff6dbbdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{78B4C484-519F-49DE-868B-A495AC5EA28C}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-c8-c6-15-98-02 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{78B4C484-519F-49DE-868B-A495AC5EA28C}\fe-c8-c6-15-98-02 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{78B4C484-519F-49DE-868B-A495AC5EA28C} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-c8-c6-15-98-02\WpadDecisionTime = 50228ff6dbbdda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{78B4C484-519F-49DE-868B-A495AC5EA28C}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{78B4C484-519F-49DE-868B-A495AC5EA28C}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1752 wrote to memory of 2076 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 2076 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 2076 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 2076 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 2076 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 2076 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 2076 1752 rundll32.exe rundll32.exe PID 2076 wrote to memory of 2216 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 2216 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 2216 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 2216 2076 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6be621dee55c1f80332d68ad4853cd3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6be621dee55c1f80332d68ad4853cd3_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2216 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2636
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2768
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ebf75c92f4213abfde5ec3683d1895cd
SHA169bc8bcfbddcccc9f93439774a37ab39cdad68cd
SHA256de1739f2ce3460e346b2a83534fda7b2e8df38cf29a72c9af656f4a61fb096a2
SHA51270abd0523a2c83795feeb0199f3f4a437a5a79466e621f254f8a729afe7c919f650727d48185c709c37901f2648f1a04086a87c9e344d684ffacbd75d4204fed
-
Filesize
3.4MB
MD5bfd12eec647e9b9dc582825cc81fe572
SHA127a230982c4ef22505a0cfa643f1befd9b88b8a7
SHA256123bc427265409ec28a20d5b78a51ca72b955f0c7950f0f0e77ca86466f5ba34
SHA512a1697efce3bd39a4ec02c9719c2db3c2dfb9eacac2fd0c1752c63d2baa6013cd80801ec7f7ea90d778fa20bbdf78bbaefb8d8d4490ee57e351b06d23e4fdf652