Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
abb8ae7154abbdfad58617fbd6e37e25
-
SHA1
666e933158146b2e09b17d4d2928f88f641e441a
-
SHA256
dc9e52ca2f0ae795394ceed7959eee45e6eb78a33757a4d274246ea33c492ea2
-
SHA512
0b4f72fe74c8c011524c8124d152ff9682378c849b02942e00b5b0d7027f7036131a47dbbaa2f5c729b19fcc95d14401cd3a2ce5ca7f133a5a55b1ed2cb8caeb
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0BkQg6eX6SA:SnAQqMSPbcBVBkQo6SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2647) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2980 mssecsvc.exe 2616 mssecsvc.exe 2456 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionTime = 805590e2a8beda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionTime = 805590e2a8beda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\52-a4-6c-d2-f4-72 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1612 wrote to memory of 1900 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1900 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1900 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1900 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1900 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1900 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1900 1612 rundll32.exe rundll32.exe PID 1900 wrote to memory of 2980 1900 rundll32.exe mssecsvc.exe PID 1900 wrote to memory of 2980 1900 rundll32.exe mssecsvc.exe PID 1900 wrote to memory of 2980 1900 rundll32.exe mssecsvc.exe PID 1900 wrote to memory of 2980 1900 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abb8ae7154abbdfad58617fbd6e37e25_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2980 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2456
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d714de5177b8317d3f15f161dcd7bff8
SHA1bcceeb2ab589aeff2b890f9581c7e6aac82e5a72
SHA256c87f021d535c6ab171dbc9c9c1daf084c2c1f366ba307b3efa3923fbbd1f8227
SHA51227879ecb9519653b907886a2326be55c17d0dc8a205631cef075e551548c7ad5e50ab4acba4d2cbe86387ad31275d73ae377c3b3857882a41c0df70fe35b45af
-
Filesize
3.4MB
MD53eb8205a8574d044000a515e2d445814
SHA1dc67dbb939bb21a9a187f53da19750d50e2f34b1
SHA25692f53ba1bf6dfe19b9404d5dd93c9275496933ea1bd97b83ca1c73996d13acff
SHA512740889c4b9cb4b32f2111bd85db1cc5615ad6ba9821df7cf211c05e7fb3fb5c89f406418469d98575590e15d39637cef97000ba181b0798e8bbbbd737d89233e