Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 14:58
Static task
static1
Behavioral task
behavioral1
Sample
aa4bd04759c4c86d3a37456a4c0d1aae_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aa4bd04759c4c86d3a37456a4c0d1aae_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
aa4bd04759c4c86d3a37456a4c0d1aae_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
aa4bd04759c4c86d3a37456a4c0d1aae
-
SHA1
0abb832130a314a9b17c6275dda8e02d254a9456
-
SHA256
b69d82198abee2589bc919442b55e7598eb741d1b996020ce201433c49603e17
-
SHA512
8134065407787073681906390da10c5b45aa8afd4839888583de4b45fff4a19ec9dc1b1f72d0b1683d1f4089f52272a5ceb14333cc6703a6cc80c18785737cfc
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5kF:TDqPe1Cxcxk3ZAEUada
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3297) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2908 mssecsvc.exe 2636 mssecsvc.exe 2736 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FC05740-2770-4148-A07A-59F278D3E855} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FC05740-2770-4148-A07A-59F278D3E855}\WpadDecisionTime = 00fe2c476bbeda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FC05740-2770-4148-A07A-59F278D3E855}\ee-dd-44-09-b4-19 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-dd-44-09-b4-19\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-dd-44-09-b4-19\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FC05740-2770-4148-A07A-59F278D3E855}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-dd-44-09-b4-19\WpadDecisionTime = 00fe2c476bbeda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-dd-44-09-b4-19 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FC05740-2770-4148-A07A-59F278D3E855}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1FC05740-2770-4148-A07A-59F278D3E855}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2968 wrote to memory of 2800 2968 rundll32.exe rundll32.exe PID 2968 wrote to memory of 2800 2968 rundll32.exe rundll32.exe PID 2968 wrote to memory of 2800 2968 rundll32.exe rundll32.exe PID 2968 wrote to memory of 2800 2968 rundll32.exe rundll32.exe PID 2968 wrote to memory of 2800 2968 rundll32.exe rundll32.exe PID 2968 wrote to memory of 2800 2968 rundll32.exe rundll32.exe PID 2968 wrote to memory of 2800 2968 rundll32.exe rundll32.exe PID 2800 wrote to memory of 2908 2800 rundll32.exe mssecsvc.exe PID 2800 wrote to memory of 2908 2800 rundll32.exe mssecsvc.exe PID 2800 wrote to memory of 2908 2800 rundll32.exe mssecsvc.exe PID 2800 wrote to memory of 2908 2800 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa4bd04759c4c86d3a37456a4c0d1aae_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aa4bd04759c4c86d3a37456a4c0d1aae_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2908 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2736
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c32558b9e0da451b5e1f3c42ec95c77c
SHA10e6cfd4a08436fd9d7cfe434c179a67872627195
SHA2563b34fd5f2a99632baeb9d5ca8f39cce78ad0211e77bd38368901db795ab16d39
SHA512310aceeadb4694820f3c60c9c287e5ee92f3d813bf214f9abd11459fd1ac558183d3b67e313479f3175fbacdfff2ba411e2eb1956a529b6d8eb0b3e74156d6bb
-
Filesize
3.4MB
MD59eb5cd883bd050ca2fd14493b70ccc95
SHA169d53fdaa5b012725d48f95d1e5f8b9188138ede
SHA256af321e7a1780cb92bcc1bcf30206aba7ec981f676fa98f741587bead7f2ce922
SHA51285e29c027e6ca318b32003be4bbd6bcb5f6fceaa947083de38e6ac79f92abdf8e92b959b33f89bbbfc9fa551bf7ec7057e2d1dfc551e219c6aebffcab287870b