Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 00:44
Static task
static1
Behavioral task
behavioral1
Sample
a33573e465729d000fef090310806c4b_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a33573e465729d000fef090310806c4b_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a33573e465729d000fef090310806c4b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a33573e465729d000fef090310806c4b
-
SHA1
e4351639982969ccd0d22d1d4285a507ff860900
-
SHA256
2589efaaa4f3eee564c93ecd69241427dcbe44ff53ff4b32ecde8043e3902a7c
-
SHA512
670be76ec4f949a87620ffe2af3387ced914de7f42ad4adb19d9f36ead662ca49e6b187923ea1b45d931e4004d0f66b5e44ce2c42b4ea980cb0867c283265d96
-
SSDEEP
98304:+DqPoBhz1a0TBBBBBBBBBBBBBBcBBBBBBBBBBBBBBVfBBBBBBBBBBBBBB5BBBBB+:+DqP21JBBBBBBBBBBBBBBcBBBBBBBBBK
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2666) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3020 mssecsvc.exe 2672 mssecsvc.exe 2568 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{971DD4CF-DE6A-4F56-80BC-B1C9E13BEF6C}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{971DD4CF-DE6A-4F56-80BC-B1C9E13BEF6C}\WpadDecisionTime = 80aa39eb2abdda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-f8-b3-3d-12-dd mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-f8-b3-3d-12-dd\WpadDecisionTime = 80aa39eb2abdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-f8-b3-3d-12-dd\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{971DD4CF-DE6A-4F56-80BC-B1C9E13BEF6C}\22-f8-b3-3d-12-dd mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-f8-b3-3d-12-dd\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{971DD4CF-DE6A-4F56-80BC-B1C9E13BEF6C}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{971DD4CF-DE6A-4F56-80BC-B1C9E13BEF6C}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{971DD4CF-DE6A-4F56-80BC-B1C9E13BEF6C} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2456 wrote to memory of 1968 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1968 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1968 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1968 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1968 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1968 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 1968 2456 rundll32.exe rundll32.exe PID 1968 wrote to memory of 3020 1968 rundll32.exe mssecsvc.exe PID 1968 wrote to memory of 3020 1968 rundll32.exe mssecsvc.exe PID 1968 wrote to memory of 3020 1968 rundll32.exe mssecsvc.exe PID 1968 wrote to memory of 3020 1968 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a33573e465729d000fef090310806c4b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a33573e465729d000fef090310806c4b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3020 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2568
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5269054c6ce0fd11a5d2969ffcfae9ed3
SHA1e710e22c256ea84e3535022d3633a3706f44595b
SHA256ae13a46c691cc93ccab882e4e7f9efab83839696318a2de8754bc77d7b6f37be
SHA5127b792d94090c4542e46f2baa7d1b1cc87c70ed4b0ecb19a340e7d41d06cdef4c96fb52a6a45f13dd7c517f579cb57f786975fba02d6c28ef9d7261f85a936e74
-
Filesize
3.4MB
MD57f57cb3ca2eddedbcaa94f9da16f88f5
SHA17a334deccaf79f0ad5d1121a5743478ceaa983d0
SHA256b95bd87e08f6f258aa1c8a80c332cc1bc8b91e3b4ef1aa508ce943a91b46fa93
SHA512158a3a0f89796abd8a943dce4be3abd05198c98c103bb4293aa5cfb68e9b2d5b63a67f5eeeb4813f2d9c223dd83095f5c977dab3109119569f42923bd120eb06