Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 15:48
Static task
static1
Behavioral task
behavioral1
Sample
a657a66208c5cce57412b5c1c89a9041_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
a657a66208c5cce57412b5c1c89a9041_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a657a66208c5cce57412b5c1c89a9041_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a657a66208c5cce57412b5c1c89a9041
-
SHA1
991ec801b55d3aadb40c20f5c8697a677ea2bb76
-
SHA256
3a0b797d56b22556d7d7a7d56f34dd62e75aeb298d41d2e0afb719b23511462d
-
SHA512
1ff663e9fe312607939c29720dd56de72c28193deb614e6d302f909b856c53fe037e754c04b115430a458c157c7e5e049f03ef93fb4af78539e77f5f3681471e
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEa:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2672) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1740 mssecsvc.exe 2628 mssecsvc.exe 2668 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadDecisionTime = 40315c35a9bdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDecisionTime = 40315c35a9bdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fe-99-13-52-c7-4d\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00dd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D}\fe-99-13-52-c7-4d mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E87A428-798C-4E5F-B890-657F5DAF008D} mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2460 wrote to memory of 1764 2460 rundll32.exe rundll32.exe PID 2460 wrote to memory of 1764 2460 rundll32.exe rundll32.exe PID 2460 wrote to memory of 1764 2460 rundll32.exe rundll32.exe PID 2460 wrote to memory of 1764 2460 rundll32.exe rundll32.exe PID 2460 wrote to memory of 1764 2460 rundll32.exe rundll32.exe PID 2460 wrote to memory of 1764 2460 rundll32.exe rundll32.exe PID 2460 wrote to memory of 1764 2460 rundll32.exe rundll32.exe PID 1764 wrote to memory of 1740 1764 rundll32.exe mssecsvc.exe PID 1764 wrote to memory of 1740 1764 rundll32.exe mssecsvc.exe PID 1764 wrote to memory of 1740 1764 rundll32.exe mssecsvc.exe PID 1764 wrote to memory of 1740 1764 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a657a66208c5cce57412b5c1c89a9041_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a657a66208c5cce57412b5c1c89a9041_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1740 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2668
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD59725da13c795537ef61e844136ea90e3
SHA1fc82142cd0565201b8f44409068a5199bb340b37
SHA25698c52deb359b767109d4902a52e054d1ca410893012bb69bebdae5310a5c1768
SHA512cc68c8cc2c501f1f152c13a978e650bd75d0aa62c47cfa82f483423c027f4038c829e7e7c8b730028f669e1cea58e4bb672dddd5880e2c6894963180e0504b33
-
Filesize
3.4MB
MD573ca33926dedbc460f05194098f93c64
SHA1857963ceca72301af31b38dfe675a15e9181a325
SHA256c5f768fbec7c3f5125d02c5a5c626d899f2cd93fbf125b709e61c7bc05c31138
SHA51231f0d24ade177532da910a7eda6a2463b95e05ad43a016a531b86a143ef599afaecfcf9e6c9c624df9934368688ca2e0b158135e155aae402a9e919dec687f93