Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a7ad39749481cbe97852995ca17dc79f
-
SHA1
71be9aab613b8323377213ab2d0f1b27eb3b7777
-
SHA256
1fe8c9aa6cae51464d6a30e49758c0a7bdef1766b5e7f0fbc03468fc5018583c
-
SHA512
5f52ebc4eef192b98a665992fd8692857c97df63962396614c9bce1852fe8e8cb1936c3af1404acd92462d1d28c2860ea4e395f6152ed4805220fb3b0257b150
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRdSqTdX1HkQo6SAARdhgFEnAEYc8c6Ri5WN6njF2nAEYH:+DqPoBhz1aRdSUDk36SAEdhn
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3331) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3020 mssecsvc.exe 2540 mssecsvc.exe 2672 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00eb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-3a-ff-9b-33-9c\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}\WpadDecisionTime = 1057e78affbdda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-3a-ff-9b-33-9c\WpadDecisionTime = 1057e78affbdda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-3a-ff-9b-33-9c\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-3a-ff-9b-33-9c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262}\de-3a-ff-9b-33-9c mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{52762615-43A3-422F-A9D9-1D71310E9262} mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2944 wrote to memory of 1652 2944 rundll32.exe rundll32.exe PID 2944 wrote to memory of 1652 2944 rundll32.exe rundll32.exe PID 2944 wrote to memory of 1652 2944 rundll32.exe rundll32.exe PID 2944 wrote to memory of 1652 2944 rundll32.exe rundll32.exe PID 2944 wrote to memory of 1652 2944 rundll32.exe rundll32.exe PID 2944 wrote to memory of 1652 2944 rundll32.exe rundll32.exe PID 2944 wrote to memory of 1652 2944 rundll32.exe rundll32.exe PID 1652 wrote to memory of 3020 1652 rundll32.exe mssecsvc.exe PID 1652 wrote to memory of 3020 1652 rundll32.exe mssecsvc.exe PID 1652 wrote to memory of 3020 1652 rundll32.exe mssecsvc.exe PID 1652 wrote to memory of 3020 1652 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a7ad39749481cbe97852995ca17dc79f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3020 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2672
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a25bece31e4c4348c705d61b775cb557
SHA18287bbd0daffbcfeb3c651f949dc665b20f47fc9
SHA256fe8c7e7fe819bf178af0977c36932acaf9b2af904accfd6eff67d436ac4e57c5
SHA51257d812790a778f99b95df24bf303c980bb91b56be5916302e879a82158fb7158367c0167b9a9198fd78dc1a57e1bac1692e236b89c8ab6c46720b698e84bb171
-
Filesize
3.4MB
MD5b8c04e629eb09b7ec4ddc4bb4fa4d4ff
SHA13e71fa5abc40f30e8eea5a3af92e3eec17df9376
SHA2563802abe3243ffcbfbb8dba64faca34b985b0d07981eb56cbd31b6884ea46c0bc
SHA51211b5e1fb2abecef2e5b54871c0549e710c9509c264cfd3423de5ef727cbd67a2e9bf96e9c5935ff2a0ee2461dafd2b77e4c55365dca9715d9edf21f6e86ba326