Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 23:14
Static task
static1
Behavioral task
behavioral1
Sample
abf032725f28af53d269fc015868a851_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
abf032725f28af53d269fc015868a851_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
abf032725f28af53d269fc015868a851_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
abf032725f28af53d269fc015868a851
-
SHA1
48e4c783445841ff3e67b1ae000e37f32a8bb611
-
SHA256
880ad069bad63c6d65ec14d92cf84110a86922d19d1fda0c31585d06a0f65a7e
-
SHA512
a50763dde1bcc363d47821baf6e8b6b56aa306970d718a816fb046f84188938851e3f6667d56d5fac69f5f2b41867db47c3b1bc18bd5ca3896a56ee8b59e36cd
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5RmI3R8yAVp2H:+DqPe1Cxcxk3ZAEUadPR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3236) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2056 mssecsvc.exe 3044 mssecsvc.exe 2736 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{000CDB81-6B7A-4701-A42A-CADE1503F99A}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-79-66-c3-c8-b4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-79-66-c3-c8-b4\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{000CDB81-6B7A-4701-A42A-CADE1503F99A} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{000CDB81-6B7A-4701-A42A-CADE1503F99A}\WpadDecisionTime = d08f9f9bb0beda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{000CDB81-6B7A-4701-A42A-CADE1503F99A}\86-79-66-c3-c8-b4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-79-66-c3-c8-b4\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{000CDB81-6B7A-4701-A42A-CADE1503F99A}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-79-66-c3-c8-b4\WpadDecisionTime = d08f9f9bb0beda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{000CDB81-6B7A-4701-A42A-CADE1503F99A}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2108 wrote to memory of 2060 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2060 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2060 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2060 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2060 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2060 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2060 2108 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2056 2060 rundll32.exe mssecsvc.exe PID 2060 wrote to memory of 2056 2060 rundll32.exe mssecsvc.exe PID 2060 wrote to memory of 2056 2060 rundll32.exe mssecsvc.exe PID 2060 wrote to memory of 2056 2060 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abf032725f28af53d269fc015868a851_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\abf032725f28af53d269fc015868a851_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2056 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2736
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3044
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b913771f5dc971501b8e10ff32e5f6eb
SHA1968d79a771dc7ac3e96c27a7728039dc41b55b4a
SHA25611b31780543201d8eb3a3540240842087b05aa85782a8fcbd921d882c5d1bc3a
SHA5123a629c67d86dc8c26b73c85e1214aa7aad3d09257d84507c1ecd7d75cf9e4c2cb365d54db8a76ccaafa90513f5f4528f6eba7ffd467b265bc41fd041fdc4dfe4
-
Filesize
3.4MB
MD542c8c77f3c2fb50b6bfef06f45b666e4
SHA1f849baf0a54d5612ed9d627965a25eb338cea1ae
SHA256efb903786b443496b9e18384b657d7fdaae7afe92d276a834867bffd00c10f1a
SHA51220635978a8f975a8e2ca80cf34a4d952944047b3e3d2deb07be39ceb22b7b8bacf9a58071283a933865707f77319412f3c79970232b11edf9531d18e1922521c