Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 05:03
Static task
static1
Behavioral task
behavioral1
Sample
a3e847c9251a9a413bc8fd4d191e8ca0_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a3e847c9251a9a413bc8fd4d191e8ca0_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a3e847c9251a9a413bc8fd4d191e8ca0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a3e847c9251a9a413bc8fd4d191e8ca0
-
SHA1
e7d1e729fb23b78438eeab87b428cb92e986f12c
-
SHA256
8a162b0f97a5694c24ad499f2d3dd9154ba0f6f1eeedf8e2f4ed44ed3fa63cb3
-
SHA512
478728b3786632c2e600fa78680ce47908f3d5a6e5b100cc481b3cb8ba3a241f2db45beee32c0af5b8f4e4b0d84fbdcfc238e13fc82c8b958f25a416a8d023f5
-
SSDEEP
98304:TDqPoBhz1aRxcSUZk36SAEdhoxWa9P593R8yAVp2H:TDqPe1Cxc7k3ZAE/adzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3314) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2788 mssecsvc.exe 2792 mssecsvc.exe 2264 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7EF2DCC-FB30-4735-8ACD-E320F334485D} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7EF2DCC-FB30-4735-8ACD-E320F334485D}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-68-dd-37-19-29\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-68-dd-37-19-29\WpadDecisionTime = 7069790a4fbdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-68-dd-37-19-29\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7EF2DCC-FB30-4735-8ACD-E320F334485D}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7EF2DCC-FB30-4735-8ACD-E320F334485D}\WpadDecisionTime = 7069790a4fbdda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-68-dd-37-19-29 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7EF2DCC-FB30-4735-8ACD-E320F334485D}\ae-68-dd-37-19-29 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A7EF2DCC-FB30-4735-8ACD-E320F334485D}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2244 wrote to memory of 2596 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2596 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2596 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2596 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2596 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2596 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2596 2244 rundll32.exe rundll32.exe PID 2596 wrote to memory of 2788 2596 rundll32.exe mssecsvc.exe PID 2596 wrote to memory of 2788 2596 rundll32.exe mssecsvc.exe PID 2596 wrote to memory of 2788 2596 rundll32.exe mssecsvc.exe PID 2596 wrote to memory of 2788 2596 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a3e847c9251a9a413bc8fd4d191e8ca0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a3e847c9251a9a413bc8fd4d191e8ca0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2788 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2264
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5dd3779d8387c7d2ebcccb105b8257c22
SHA1b11da38885ab6a7e02f5163e5770476dc5b299b4
SHA2565fd982c89f40cd5585219f84689b7f75e61ee4e4b2e78f69c3a49e32f505ac3a
SHA512c316b57ee0db5d52a73118ea22cf6532e684c0baac8a6292f50dd63e6914ee58e796942133a0c54bc1430fad23d0c7a362631f81e6845488e2f762fd712f7718
-
Filesize
3.4MB
MD54a264a7f5d53db28d2837e75ce739d27
SHA1fe8f14a2bd4c686030e16073fcf55a5244506235
SHA2562ccc961e81830b1ffb8afad488383f1437a40ea4c30a2a16ec573f1f5b8b07de
SHA5128d8c3ac86c535eaeacb1cc80ab75c03a1778099db0e4b77db861bba7cea398645beca968050491a6eb9ccf011189b364388375c8c1bb83129edbe3cf7fe0a36b