Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
a80b33ae1ceefbf0d864b297761c85dd_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a80b33ae1ceefbf0d864b297761c85dd_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a80b33ae1ceefbf0d864b297761c85dd_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a80b33ae1ceefbf0d864b297761c85dd
-
SHA1
39c8486ebd2bf7052c886f84d1fa6c4c3fc4f013
-
SHA256
a00b12e44cb4c3318330762c1e8ee9e2614867c4447b49b265a7634e4e852861
-
SHA512
fddc01dcd3d53abba313bf531a0ff39362c908047c6b043b5f11b212c8e7e94ae80f0889b5ffc6f3b1eb6f8371d4fc4657a01225ef13fc72937548672d08cf1a
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626:SnAQqMSPbcBVQej/1INR
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3318) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2588 mssecsvc.exe 2032 mssecsvc.exe 832 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8C4771B3-6C57-4883-B23F-4833CE0DDB80} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8C4771B3-6C57-4883-B23F-4833CE0DDB80}\WpadDecisionTime = d0050fd915beda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8C4771B3-6C57-4883-B23F-4833CE0DDB80}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-e7-f1-18-ba-f8\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8C4771B3-6C57-4883-B23F-4833CE0DDB80}\b6-e7-f1-18-ba-f8 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-e7-f1-18-ba-f8\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-e7-f1-18-ba-f8\WpadDecisionTime = d0050fd915beda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8C4771B3-6C57-4883-B23F-4833CE0DDB80}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8C4771B3-6C57-4883-B23F-4833CE0DDB80}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-e7-f1-18-ba-f8 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2468 wrote to memory of 2892 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 2892 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 2892 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 2892 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 2892 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 2892 2468 rundll32.exe rundll32.exe PID 2468 wrote to memory of 2892 2468 rundll32.exe rundll32.exe PID 2892 wrote to memory of 2588 2892 rundll32.exe mssecsvc.exe PID 2892 wrote to memory of 2588 2892 rundll32.exe mssecsvc.exe PID 2892 wrote to memory of 2588 2892 rundll32.exe mssecsvc.exe PID 2892 wrote to memory of 2588 2892 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a80b33ae1ceefbf0d864b297761c85dd_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a80b33ae1ceefbf0d864b297761c85dd_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2588 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:832
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5466986e368d9ed44c708aae2c707578c
SHA1462b6d41fd4d26fc0f87a91c553730a50efb9b62
SHA256b0ab77621ba7362b29d29acd42f79e5a03748c3b0e73791e2a4f33b938e10279
SHA51267dde24c20874dacb5d2c003096fba9c4f0e081ac0c578c6ecdbfbdb8c4fbd3aa2aae8d5da9238109af32b576c89fea17f5bba35cb9e3e8b10405f7c3b892024
-
Filesize
3.4MB
MD53cb84024a4143e76401de7b8c5e0fbf5
SHA1e7a88ee92809a399cf6a0ddf0e363b9649e99614
SHA2563f611d1e66c61213948d31e9e67c263cd87c24fbb8373d923bf6408b2ddaecf2
SHA512b0d732e436a1e7dd67bf47b02ff16272ce81defd83afb0edb595e3cbb76e801687d399950bf454b3a9fd6c77ebfe278e3a31dee59e5002859c2e06c280732b39