Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 10:15
Static task
static1
Behavioral task
behavioral1
Sample
a507fbb517751736c6dcf41c967d2a56_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a507fbb517751736c6dcf41c967d2a56_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a507fbb517751736c6dcf41c967d2a56_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a507fbb517751736c6dcf41c967d2a56
-
SHA1
39b95e8e1ef0d46b3bc853fa374f7429c3c4d10f
-
SHA256
25aef98f31689403efd787a1bc80edd87805a03bd2f61d86fb4dc823aa381450
-
SHA512
2c9cafc5af10e0feb286bad250fe24af2fb8c137508496b69fc93bd8e3a94151083faf61e16489f6e41c10671d5c32182b1b943c3b5434e134b68c9461da346f
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0Y8uME7A4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBVKR8yAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3087) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2372 mssecsvc.exe 1628 mssecsvc.exe 2644 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F21B9D3B-8A8B-4196-A1B1-E026110F0404}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0050000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F21B9D3B-8A8B-4196-A1B1-E026110F0404}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F21B9D3B-8A8B-4196-A1B1-E026110F0404}\WpadDecisionTime = 2090a49b7abdda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F21B9D3B-8A8B-4196-A1B1-E026110F0404}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-dd-db-e5-c9-83 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F21B9D3B-8A8B-4196-A1B1-E026110F0404}\aa-dd-db-e5-c9-83 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-dd-db-e5-c9-83\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-dd-db-e5-c9-83\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-dd-db-e5-c9-83\WpadDecisionTime = 2090a49b7abdda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F21B9D3B-8A8B-4196-A1B1-E026110F0404} mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2860 wrote to memory of 2964 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2964 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2964 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2964 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2964 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2964 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2964 2860 rundll32.exe rundll32.exe PID 2964 wrote to memory of 2372 2964 rundll32.exe mssecsvc.exe PID 2964 wrote to memory of 2372 2964 rundll32.exe mssecsvc.exe PID 2964 wrote to memory of 2372 2964 rundll32.exe mssecsvc.exe PID 2964 wrote to memory of 2372 2964 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a507fbb517751736c6dcf41c967d2a56_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a507fbb517751736c6dcf41c967d2a56_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2372 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2644
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b8cffb216ac70b443fcd5e3d4da9866d
SHA1c08c4a8d93b7e6fdb6c85c06c9685cdb90d89956
SHA2567dd5323526062ec448c89fe44212787659e3b2bae7ab37fb20bf0517da7f8fc9
SHA512354b5695c8b3e60d0278bd9c1b6a58ccbc27b8590904af246c8c6b8dc57e2e855d9710c0f60762f9a1c1e3255090c1eaa6fc9f35e3e50cfc47df0f421d2ac171
-
Filesize
3.4MB
MD5f6ce03eb98bf554d3d34e82abcaf6dbc
SHA14342a29eb2b604ec980a1742436849b4df70d485
SHA2560f1cf1e0af34939c8d818e315ab77b708d29992ea1e1f0f4d27ab70dcc5d3e35
SHA512a1a91c1cd3386c1275d0658982de43cfcbb47dd6a514746285c54ecc01dadc2951b7e7915397ead8099bd3ad3fc8c301945f3efd44faab28860e4892f582ab04