Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 15:49
Static task
static1
Behavioral task
behavioral1
Sample
a6585e80f2a580a1b5d1dfb3d8dbe0f6_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a6585e80f2a580a1b5d1dfb3d8dbe0f6_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a6585e80f2a580a1b5d1dfb3d8dbe0f6_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a6585e80f2a580a1b5d1dfb3d8dbe0f6
-
SHA1
70e86c590bc18260a90e8d7c1501f57db5dfdf3c
-
SHA256
7527c7bc3c52dc5630265ee03efcae905a2cc8b909fc33d427919dd8b355a66a
-
SHA512
33525771a636ae7d35e737276f24089162115197e5acf417811b97da3043b77fc4cd4dcd7f79c47896e5d505d73395c60b1d17edc18f6f3a8dcd45d7e460f5be
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P53XK:+DqPe1Cxcxk3ZAEUadtXK
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3300) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2332 mssecsvc.exe 2356 mssecsvc.exe 2620 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34D5B593-5A46-4C36-AF10-36B0F433E1BE} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34D5B593-5A46-4C36-AF10-36B0F433E1BE}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34D5B593-5A46-4C36-AF10-36B0F433E1BE}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34D5B593-5A46-4C36-AF10-36B0F433E1BE}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-05-8b-bf-89-06\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34D5B593-5A46-4C36-AF10-36B0F433E1BE}\92-05-8b-bf-89-06 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34D5B593-5A46-4C36-AF10-36B0F433E1BE}\WpadDecisionTime = e0c9a13ea9bdda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-05-8b-bf-89-06 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-05-8b-bf-89-06\WpadDecisionTime = e0c9a13ea9bdda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-05-8b-bf-89-06\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2392 wrote to memory of 2316 2392 rundll32.exe rundll32.exe PID 2392 wrote to memory of 2316 2392 rundll32.exe rundll32.exe PID 2392 wrote to memory of 2316 2392 rundll32.exe rundll32.exe PID 2392 wrote to memory of 2316 2392 rundll32.exe rundll32.exe PID 2392 wrote to memory of 2316 2392 rundll32.exe rundll32.exe PID 2392 wrote to memory of 2316 2392 rundll32.exe rundll32.exe PID 2392 wrote to memory of 2316 2392 rundll32.exe rundll32.exe PID 2316 wrote to memory of 2332 2316 rundll32.exe mssecsvc.exe PID 2316 wrote to memory of 2332 2316 rundll32.exe mssecsvc.exe PID 2316 wrote to memory of 2332 2316 rundll32.exe mssecsvc.exe PID 2316 wrote to memory of 2332 2316 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6585e80f2a580a1b5d1dfb3d8dbe0f6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a6585e80f2a580a1b5d1dfb3d8dbe0f6_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2332 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2620
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2356
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD506c4f5946eb4d6d99ec56fffc9468953
SHA1398b2a6e7788042e72a76341c2061e7aea6a17cc
SHA256c89523191566c7b491cea755c7a47ee7dd383d0475a10268581808979d9d4544
SHA5128acb19a451cb20e12ee45c2cdda78ddd5ebda17f97b1ef3fa65f250311ef66fc3c945476a903bf4107b21dab54c291bc509a58fbdd0e84b4b8bfd416f6ae2ef8
-
Filesize
3.4MB
MD55fb7e5f0c3d439cc3a6823f8e061d9ae
SHA15df9961c8df60e3933dfeb110c3d42f7a63a21dd
SHA25625c44dc5f8b699042083b14da37ff4dbc8ffc1057362ce2d9c24b94eec4ea0fe
SHA512ce87f13ddad2fe78255a29b4a513992496af58da539e77a8283866895453ebd459a23c2871df8607bcf8def2eccf77e3740152139a622a9815b9645f61c8a22d