Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 10:44
Static task
static1
Behavioral task
behavioral1
Sample
a941a68efba98916c3543124d545c929_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a941a68efba98916c3543124d545c929_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a941a68efba98916c3543124d545c929_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a941a68efba98916c3543124d545c929
-
SHA1
4f6aab140aba41adfc5d221403f85a64db4ac2bc
-
SHA256
2b0d7eb0e2a1f3c200116060867fe80b0bfc88c666fd4a1cf7bf22e39f3aed61
-
SHA512
0436620adf71ae00b416e6676b94365ec210db79308df93653faba3565730626064a64f146f70b124f6743599efd0b97f69405ed4beeac15de1c4067847b3f81
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM:TDqPoBhz1aRxcSUDk36SAEdhvxW
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3174) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2524 mssecsvc.exe 2580 mssecsvc.exe 2820 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-25-47-96-8f-13\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30}\8e-25-47-96-8f-13 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-25-47-96-8f-13\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-25-47-96-8f-13\WpadDecisionTime = a05724d947beda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-25-47-96-8f-13 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B510C714-0045-48B5-B1EF-713DAE6A7B30}\WpadDecisionTime = a05724d947beda01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2940 wrote to memory of 2828 2940 rundll32.exe rundll32.exe PID 2940 wrote to memory of 2828 2940 rundll32.exe rundll32.exe PID 2940 wrote to memory of 2828 2940 rundll32.exe rundll32.exe PID 2940 wrote to memory of 2828 2940 rundll32.exe rundll32.exe PID 2940 wrote to memory of 2828 2940 rundll32.exe rundll32.exe PID 2940 wrote to memory of 2828 2940 rundll32.exe rundll32.exe PID 2940 wrote to memory of 2828 2940 rundll32.exe rundll32.exe PID 2828 wrote to memory of 2524 2828 rundll32.exe mssecsvc.exe PID 2828 wrote to memory of 2524 2828 rundll32.exe mssecsvc.exe PID 2828 wrote to memory of 2524 2828 rundll32.exe mssecsvc.exe PID 2828 wrote to memory of 2524 2828 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a941a68efba98916c3543124d545c929_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a941a68efba98916c3543124d545c929_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2524 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2820
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD54f462abe5292853d6328e356305de4be
SHA157944a10d863969799fcc190ff1c7ebc3d723e8f
SHA2564b0c97e31fa57560606e1841305aec8e5983a4f0230d387e4a13dc7878cc958a
SHA512733ec291b13b92bac78d6c5334e474714814ada0a3d94157852e11c9ae0279d4ddef67b2685dd217e01cc050773e6af46cdf8f663d1d36ca188f720cd68cf48a
-
Filesize
3.4MB
MD54560ce126cc34e33839f4bafbeb801b0
SHA1ad3d81e70e7206fa255c12cbd3f863dfb72fb12c
SHA2565facb4bca8b6a43fcf064b33c80c8727633fdc2532b2e66402b5cd954109cde0
SHA5121aa20fe3e776def514c3b6035ff17e19373d07f0f4d8a39144484b31a8ba6368357d9db07b99e544ed27f7ee4856fd4fe50fea7f5aa7e85e408da7645f036d03