Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 23:09
Static task
static1
Behavioral task
behavioral1
Sample
abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
abebc86c59b2aa2143a4aaf98ea34630
-
SHA1
385b79ff4bfe4dd43e06c287d11d1a067fbb5eb7
-
SHA256
fb5317e76d0f234aede9f26f60f40a278c241d27019518df2ab8909ead764788
-
SHA512
1395898edcc6ec8c97934711886cda105b5f8c4b5e1dc9ecf36ac8f9cf268882bad58945b369cc359557bc5b4ebba4e65c705c94f68f38ce9ab42f1403bf6545
-
SSDEEP
49152:znAQqMSPbcBVQej/1IwFvElh6h0mZQOy2DLscxez2Kr7GDVENG+VN+kszxR:TDqPoBhz1pv86h0mhEcwz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2661) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2216 mssecsvc.exe 2788 mssecsvc.exe 3008 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}\aa-f4-2a-2f-13-d5 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-f4-2a-2f-13-d5\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}\WpadDecisionTime = 10291debafbeda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AC8A2D7A-A852-40A2-9734-CD5AEEDB86C5} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-f4-2a-2f-13-d5\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-f4-2a-2f-13-d5\WpadDecisionTime = 10291debafbeda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-f4-2a-2f-13-d5 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2168 wrote to memory of 2432 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2432 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2432 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2432 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2432 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2432 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2432 2168 rundll32.exe rundll32.exe PID 2432 wrote to memory of 2216 2432 rundll32.exe mssecsvc.exe PID 2432 wrote to memory of 2216 2432 rundll32.exe mssecsvc.exe PID 2432 wrote to memory of 2216 2432 rundll32.exe mssecsvc.exe PID 2432 wrote to memory of 2216 2432 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abebc86c59b2aa2143a4aaf98ea34630_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2216 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3008
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5093e8a1d86864424d3cdd1ebede4cc82
SHA107b534af48de27c84e046229cc25979fdbcaa53c
SHA2567cd796d59db7e7ac878ad3335522104e1422e6fc721b2f1c327007578df01502
SHA512df230b18fa382f8d419008ba2483fad3c08f910c0227925fef35d4d9a46ceeebe410d332326d0f2364b020dcb8de8253a9d2a9c6223e147d557369d1fa6eddf2
-
Filesize
3.4MB
MD5b4f7243af03b1dd769ff9240ac5efa9e
SHA14c33f4480a4ca13c434fe04d9f5a37cfb2691c37
SHA256e871c13560d924fe7adceb03e49b233127c970a4855fa607913778581fbde45e
SHA512c49ceddf726d6eefdb21573ccb5895089b0f28d1f411272bff5d86cb64b70d7535c9bf561e127c7d5a260adb482a33c26ee85d55f18938c2c43b3675fa725d6d