Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 02:33
Static task
static1
Behavioral task
behavioral1
Sample
a38af9da4d563a71dd17ab22640cc3c8_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a38af9da4d563a71dd17ab22640cc3c8_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a38af9da4d563a71dd17ab22640cc3c8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a38af9da4d563a71dd17ab22640cc3c8
-
SHA1
0c902c748adee5a0631fad49de85474764dbc6a1
-
SHA256
4e5f036c0c8fb09f0c37a539f5d89e5afa783fce106db242de952f014ae9655f
-
SHA512
4a03e0b4bf63038ede4a2998b241168fa14bc31da0991674ac687b4acb5ca44f69a1444afccf92d91023bbddc06907307aa274921daff9f403815d3e64106a12
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2666) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 616 mssecsvc.exe 2564 mssecsvc.exe 2420 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-bf-68-f2-b9-43\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A07AB3-A56D-46AB-BD17-0377E5DC2D06}\36-bf-68-f2-b9-43 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-bf-68-f2-b9-43\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A07AB3-A56D-46AB-BD17-0377E5DC2D06} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-bf-68-f2-b9-43 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A07AB3-A56D-46AB-BD17-0377E5DC2D06}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-bf-68-f2-b9-43\WpadDecisionTime = 609f72143abdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A07AB3-A56D-46AB-BD17-0377E5DC2D06}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A07AB3-A56D-46AB-BD17-0377E5DC2D06}\WpadDecisionTime = 609f72143abdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C2A07AB3-A56D-46AB-BD17-0377E5DC2D06}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2496 wrote to memory of 1656 2496 rundll32.exe rundll32.exe PID 2496 wrote to memory of 1656 2496 rundll32.exe rundll32.exe PID 2496 wrote to memory of 1656 2496 rundll32.exe rundll32.exe PID 2496 wrote to memory of 1656 2496 rundll32.exe rundll32.exe PID 2496 wrote to memory of 1656 2496 rundll32.exe rundll32.exe PID 2496 wrote to memory of 1656 2496 rundll32.exe rundll32.exe PID 2496 wrote to memory of 1656 2496 rundll32.exe rundll32.exe PID 1656 wrote to memory of 616 1656 rundll32.exe mssecsvc.exe PID 1656 wrote to memory of 616 1656 rundll32.exe mssecsvc.exe PID 1656 wrote to memory of 616 1656 rundll32.exe mssecsvc.exe PID 1656 wrote to memory of 616 1656 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a38af9da4d563a71dd17ab22640cc3c8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a38af9da4d563a71dd17ab22640cc3c8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:616 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2420
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ebb700898acb1aa4dd5a95a21b78b11b
SHA1e9a932e4dccec394ea8801825de5c82463409301
SHA2562c50716c5db4345ee69635dccf88e4bba9d7abdae6c60451f880f74733d7d3db
SHA5125d06f8a6a6b8d4cde27413f22ce129daf66f48bab79372737eb14688bfd415bde8a14be160f22458e96f740a300dabde95e7be309a01005dde3cbbcb614ee1a9
-
Filesize
3.4MB
MD5ae6c19298d764f3d7c2ace7e65fed822
SHA1cb8b32d36461bbb61b8fc08d1038cb4532bf4275
SHA2567d0e5690e5186b3abd97c66388b8da952f371c1ddeb8f6128cae696e4bf8ef90
SHA512dadff44b27da4744bcc0ff11e4a9c0588b59837eb0221b034fc6a2095970e0df5759ef75e54ddf62c12b064335abdbbc0093867d238dc8e982fecdb49f5b1da1