Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 07:39
Static task
static1
Behavioral task
behavioral1
Sample
a4774be090b51066ee398dfd507dbc1f_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a4774be090b51066ee398dfd507dbc1f_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a4774be090b51066ee398dfd507dbc1f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a4774be090b51066ee398dfd507dbc1f
-
SHA1
23dba8a66a215783450827e8c99d18a2ba21f824
-
SHA256
1f94ac5fddf0ae1ec9e51478e1936f344edbc4b339d32eadee24303d0649ad6d
-
SHA512
bc12be26046395116fd305d66b73c3d4ea5cea4521103a515881c9fef464043c742c9028fa2909033a9aa19816ffe910bb038a69ad05ca2b9f8a6729222a3fc3
-
SSDEEP
98304:TDqPoBhz1aRxcSUDkUEdhvxWa9P593R8yAVp2H:TDqPe1CxcxkUEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3219) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1992 mssecsvc.exe 2576 mssecsvc.exe 2556 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\26-20-6e-1f-74-54 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-20-6e-1f-74-54\WpadDecisionTime = b03526e664bdda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B8C57856-3E1E-4F8F-BCB5-470C026DA9F3}\WpadDecisionTime = b03526e664bdda01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2028 wrote to memory of 2380 2028 rundll32.exe rundll32.exe PID 2028 wrote to memory of 2380 2028 rundll32.exe rundll32.exe PID 2028 wrote to memory of 2380 2028 rundll32.exe rundll32.exe PID 2028 wrote to memory of 2380 2028 rundll32.exe rundll32.exe PID 2028 wrote to memory of 2380 2028 rundll32.exe rundll32.exe PID 2028 wrote to memory of 2380 2028 rundll32.exe rundll32.exe PID 2028 wrote to memory of 2380 2028 rundll32.exe rundll32.exe PID 2380 wrote to memory of 1992 2380 rundll32.exe mssecsvc.exe PID 2380 wrote to memory of 1992 2380 rundll32.exe mssecsvc.exe PID 2380 wrote to memory of 1992 2380 rundll32.exe mssecsvc.exe PID 2380 wrote to memory of 1992 2380 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4774be090b51066ee398dfd507dbc1f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a4774be090b51066ee398dfd507dbc1f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1992 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2556
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2576
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD537c0bb40666f30676e3b820cec27d87b
SHA19fa6190122f70feaa3be7bd7a8b1453c42f4fc91
SHA256a5bcc305c9380132da4cc0aca4d088be092ffb29fc0eb2a96e8b0269b434df32
SHA512435d1d6de421f20b8520bc139a3d396bb41e5075f9714920f7201d9055bd579b9f7d97b252b8e90d5b45a48bb470c9c00785a4878f6018859d972adac2a7cbe6
-
Filesize
3.4MB
MD5dd578ed9e4b35ad3ea75c4b658505bdc
SHA138312990bff7fa21742b30cefb4ea500ae56e4b8
SHA256a488f5bcd138ae34fa83a8866a61fec3af84adce59c5dff5e59911c653d2e0e9
SHA512b3b5b189bb928045eec6819f90142b9af170159e50e4d51c93770f968a49c1c2b6df6c855e8782f540aaad8f92e25c000116b8cb02d275fc0447f60e38b6b125