Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 21:44
Static task
static1
Behavioral task
behavioral1
Sample
ab9a8b13426052f871ad2473ca727445_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ab9a8b13426052f871ad2473ca727445_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
ab9a8b13426052f871ad2473ca727445_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ab9a8b13426052f871ad2473ca727445
-
SHA1
402bad956a2c54c8f4b32d255df723fc9f297089
-
SHA256
eeb4d095615c2faa4a25c9d3ddd7e056c0f1a596917f48d4351e0fed2040685c
-
SHA512
6ab7ae1803632b5e348614a71b58c240274da09192ece086108b70f340ce4afa4dd2836e8749e10e87def27da6928949a07ded505fc1ffa21e976f72b50b95c6
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdd1HkQo6SAARdhnvx:+DqPoBhz1aRxcSUZk36SAEdhvx
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2658) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2236 mssecsvc.exe 1228 mssecsvc.exe 2472 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C5F07B6-6FDD-4951-9F22-DB1A42734399}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-16-b0-21-85-65\WpadDecisionTime = 10a8d023a4beda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-16-b0-21-85-65\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C5F07B6-6FDD-4951-9F22-DB1A42734399}\7a-16-b0-21-85-65 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-16-b0-21-85-65\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C5F07B6-6FDD-4951-9F22-DB1A42734399}\WpadDecisionTime = 10a8d023a4beda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-16-b0-21-85-65 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C5F07B6-6FDD-4951-9F22-DB1A42734399} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C5F07B6-6FDD-4951-9F22-DB1A42734399}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3C5F07B6-6FDD-4951-9F22-DB1A42734399}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2072 wrote to memory of 2208 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2208 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2208 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2208 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2208 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2208 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 2208 2072 rundll32.exe rundll32.exe PID 2208 wrote to memory of 2236 2208 rundll32.exe mssecsvc.exe PID 2208 wrote to memory of 2236 2208 rundll32.exe mssecsvc.exe PID 2208 wrote to memory of 2236 2208 rundll32.exe mssecsvc.exe PID 2208 wrote to memory of 2236 2208 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab9a8b13426052f871ad2473ca727445_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab9a8b13426052f871ad2473ca727445_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2236 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2472
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1228
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD576c9ea6eb26472d7c6adae1de0da9627
SHA1994583dfc53576fbaedba77baa71b123b0540cea
SHA25693cc8628417711f799d8239284c81d5589453afe196b87079c8ddb24b8e6a6d3
SHA51218a3fee23d1b3d10ff841eee1ea5bdf39f84a2c85e7fb1bb97bc47efbba547d2928b1fa3ce832d5fec291572e82d6b7e74b2b2a862b2fbc1fd051afda4d2de45
-
Filesize
3.4MB
MD5d9ab07fdbd01e1673d4732789453ba5e
SHA18586e13eb3cc100621e313e095eb866d599e16dd
SHA256619777a0df4d2d6dffaeb1355391d9cf89b4a52addaf23d2f2f9961ea9dcbed6
SHA512c80850f612abbb8e3085f1cef55ba38b874a3f80ae24d168e515b41b64d90ce6696023bfa2298f5aad1da8f0777e4d046afc7d0100cd1dfd29a4fe44283e3393