Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 23:04
Static task
static1
Behavioral task
behavioral1
Sample
abe6e87983c57683bbbb49fb6dc2251b_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
abe6e87983c57683bbbb49fb6dc2251b_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
abe6e87983c57683bbbb49fb6dc2251b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
abe6e87983c57683bbbb49fb6dc2251b
-
SHA1
bc01665343d892b92f4320652e89d5252afbb8b3
-
SHA256
c63bf97c4a4bc3e4f209f9001c80f349149f2573b1bd8a3ca4d1e5cbc03fd806
-
SHA512
33cf102d67e4ef204b5662a5503e00814e8f4d9060cc40b8b88d4fec154bb422f696ed5c035be27601cc7c53885caeb3e05abe64f1a163beab83a28c4ab1eff6
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdh:TDqPoBhz1aRxcSUDk36SAEdh
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3263) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2148 mssecsvc.exe 2564 mssecsvc.exe 2440 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-77-22-ab-73-f6\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06554B65-349C-4C97-B710-6E0E95F99848}\WpadDecisionTime = 403dd940afbeda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06554B65-349C-4C97-B710-6E0E95F99848}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-77-22-ab-73-f6 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00bd000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06554B65-349C-4C97-B710-6E0E95F99848}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06554B65-349C-4C97-B710-6E0E95F99848}\82-77-22-ab-73-f6 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-77-22-ab-73-f6\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-77-22-ab-73-f6\WpadDecisionTime = 403dd940afbeda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06554B65-349C-4C97-B710-6E0E95F99848} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06554B65-349C-4C97-B710-6E0E95F99848}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2072 wrote to memory of 3016 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 3016 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 3016 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 3016 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 3016 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 3016 2072 rundll32.exe rundll32.exe PID 2072 wrote to memory of 3016 2072 rundll32.exe rundll32.exe PID 3016 wrote to memory of 2148 3016 rundll32.exe mssecsvc.exe PID 3016 wrote to memory of 2148 3016 rundll32.exe mssecsvc.exe PID 3016 wrote to memory of 2148 3016 rundll32.exe mssecsvc.exe PID 3016 wrote to memory of 2148 3016 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abe6e87983c57683bbbb49fb6dc2251b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abe6e87983c57683bbbb49fb6dc2251b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2148 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2440
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2564
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD568c6204cf77e572e59f69614b2ca3d08
SHA133631d615d796844cdb9fd37c78d82cb83af1a5f
SHA25693cda4a7e1fcc7e2f79437354e36f5e58ccac5f01ce54054e88ba7a54115a3cc
SHA51276387771afdaeed08bca9528ffec6780881d3d748e58f9019897bc7f5c72701ffdaaaeabd1a8bc52bc3a791cfd7326fee88207e837ce348e5254915e9376f378
-
Filesize
3.4MB
MD5bccad6972840ccd4069b2f9ce01eb89d
SHA155c3531a3d17492bfd4cf5f297a34c3c939252ab
SHA2565aaf6cc5874058d52270446a17529877390b1efafa4b1e7035b35ec4986bdc52
SHA51275432c3df367c08228267b97b6bdff646ad16c1ea9f28af6986b51296da0f256276445f02b057b35d8038ba6fdfaa4bdc8001f40e9723996e43b7a229d1e332e