Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 12:55
Static task
static1
Behavioral task
behavioral1
Sample
a9c83055748bd40c550c395f81f7738a_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a9c83055748bd40c550c395f81f7738a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
a9c83055748bd40c550c395f81f7738a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
a9c83055748bd40c550c395f81f7738a
-
SHA1
462d4bc5478bbd040f71897ccba2566bc4a2036f
-
SHA256
de61ad14bc39bc894068f5eefe3cf6ee3c4ccbf7efa8ff575a117300d6f9f62b
-
SHA512
0be57c58a1d948de216332cef13600af554a4e0f5d395ff92f51bc574dbd5d0d32ceeb19d5f0e4532fb972141cc93b7de01f0ea9d4b88ff261bed07c67a21f98
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAldhvxWa9P593R8yAVp2H:+DqPe1Cxcxk3ZAlUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3080) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1272 mssecsvc.exe 3068 mssecsvc.exe 2664 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fe000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-5c-26-3d-aa-ea mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}\aa-5c-26-3d-aa-ea mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-5c-26-3d-aa-ea\WpadDecisionTime = b0f75e185abeda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}\WpadDecisionTime = b0f75e185abeda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{74F07056-3ECC-4994-A29E-F82B83AFCFF0}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-5c-26-3d-aa-ea\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-5c-26-3d-aa-ea\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1288 wrote to memory of 1784 1288 rundll32.exe rundll32.exe PID 1288 wrote to memory of 1784 1288 rundll32.exe rundll32.exe PID 1288 wrote to memory of 1784 1288 rundll32.exe rundll32.exe PID 1288 wrote to memory of 1784 1288 rundll32.exe rundll32.exe PID 1288 wrote to memory of 1784 1288 rundll32.exe rundll32.exe PID 1288 wrote to memory of 1784 1288 rundll32.exe rundll32.exe PID 1288 wrote to memory of 1784 1288 rundll32.exe rundll32.exe PID 1784 wrote to memory of 1272 1784 rundll32.exe mssecsvc.exe PID 1784 wrote to memory of 1272 1784 rundll32.exe mssecsvc.exe PID 1784 wrote to memory of 1272 1784 rundll32.exe mssecsvc.exe PID 1784 wrote to memory of 1272 1784 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9c83055748bd40c550c395f81f7738a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a9c83055748bd40c550c395f81f7738a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1272 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2664
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5344f053528ca89fa1dd9afd1bdf226be
SHA1466a2e006d32f416174868a9d6cfef45c532bba5
SHA25674d41a2b54476c3aa67dcfc278dc8602b597746eef49b200afbd74a8fad9dd0a
SHA512f2e76d37945c3b7f3ee74dc577aa1ff6f96c1bb712150f97d3d69b2e5c2d113c4e7450be714d4f46e052d77b86727f6d3797578d0f6d498ee6b3881980e4c06e
-
Filesize
3.4MB
MD51879cd317de1077793b9e7ad9548fbad
SHA189b5d4bfa3cf362e73d516d757103170fc025818
SHA256fb27e78cd4cba316b4bdd65305fe5f3475154055a601967ff873c0982f0d31cb
SHA512995b341d9bdca393c423130b99d77bfe04d06dc6f956b5e36f58bbe42775035034558ed7ded9387fd29a8aae791db0df18c1776131bfe6f7bd6ed0711584115e