Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 12:06
Static task
static1
Behavioral task
behavioral1
Sample
a9981f085be37a7911978dadd3596379_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
a9981f085be37a7911978dadd3596379_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
a9981f085be37a7911978dadd3596379_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a9981f085be37a7911978dadd3596379
-
SHA1
f79c43f6032339d9c3845f3188f15010311c173e
-
SHA256
46fb5d108b98f5d7ba3e3d9d8eb47078d5de6e4a93a2a15ba35038cd9eac7416
-
SHA512
6befc04ee4562ef8757d9443b58b26eaf95e1af430cf25b3e7face5a05a40cb774565a8b3035a346bcc2a002a49b1f5dfa4bf16ef4614e351ce4f7e543d83f03
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5K3R8yAVp2:+DqPe1Cxcxk3ZAEUadeR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3230) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1632 mssecsvc.exe 2252 mssecsvc.exe 2708 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}\WpadDecisionTime = 204d0c5c53beda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-71-55-44-92-e4\WpadDecisionTime = 204d0c5c53beda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-71-55-44-92-e4\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-71-55-44-92-e4 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9B58EE2C-72D8-44A0-B9D6-C6E7DFAEE833}\26-71-55-44-92-e4 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0058000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-71-55-44-92-e4\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1876 wrote to memory of 1448 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1448 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1448 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1448 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1448 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1448 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1448 1876 rundll32.exe rundll32.exe PID 1448 wrote to memory of 1632 1448 rundll32.exe mssecsvc.exe PID 1448 wrote to memory of 1632 1448 rundll32.exe mssecsvc.exe PID 1448 wrote to memory of 1632 1448 rundll32.exe mssecsvc.exe PID 1448 wrote to memory of 1632 1448 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9981f085be37a7911978dadd3596379_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9981f085be37a7911978dadd3596379_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1632 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2708
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a6cf0063c310eff7191fba13053327e3
SHA1edc0de3f1e1e95bee18dcf2fbfe3ed1e41047c73
SHA256ebe23a239ca7be087cf17fe324379bb2f86fa1e2051b72e945254f83e453f1bf
SHA51286d3e472de58185a6d0c763398c067bb1ecff20f848322a58aa5024435ffcc565f6de363b770960589b9223542fcf23379e9e00f2bfb98d70255c54425fb468c
-
Filesize
3.4MB
MD510257bc6a0be95ba773b16aa106767a3
SHA17c5a6de791c5791293b8ba9306f2cd1bd30dea8f
SHA256342ce7cab19d9404536f07fa585da89adb3a86cb8bfedfba8fa32e60698a93e6
SHA512eaffdfed2de4da4727975a0c365ad636f6e842f724fe29840ad7bb4380c0cc32aa7ccbcb92a68013e798750b0e58f4c748df1a5bb9722aad3c07636d49e998b7