Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14-06-2024 21:15
Static task
static1
Behavioral task
behavioral1
Sample
ab80bc09ea8609ec530cbde89ec7d29c_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ab80bc09ea8609ec530cbde89ec7d29c_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
ab80bc09ea8609ec530cbde89ec7d29c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ab80bc09ea8609ec530cbde89ec7d29c
-
SHA1
e54b1408d76c1a234c3a4816de52f35370e38557
-
SHA256
1adc42b3e4869bd7125e52aae5f570ae34aaeebb053ee1faf55c9aeb657943da
-
SHA512
74cd7eb0f39243641eb67ae8fec5b1678b5ca712787346c69ce14add8f4d0a87c4d6e499ed8d14282d7d72cb8471b1b90fb9509d6050c695c972c24518842156
-
SSDEEP
98304:+DqPoBhz1aRxcSUDkS6SAEdhvxWa9P5931Vp2X3:+DqPe1CxcxkSZAEUadzD4X
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3180) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2140 mssecsvc.exe 2624 mssecsvc.exe 2504 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D}\WpadDecisionTime = 60a7d6fa9fbeda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-47-e2-10-05-74\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D}\1a-47-e2-10-05-74 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-47-e2-10-05-74 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-47-e2-10-05-74\WpadDecisionTime = 60a7d6fa9fbeda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{355B5DC4-8A01-4DEB-80FD-F65FDDBE239D}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-47-e2-10-05-74\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2580 wrote to memory of 2100 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2100 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2100 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2100 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2100 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2100 2580 rundll32.exe rundll32.exe PID 2580 wrote to memory of 2100 2580 rundll32.exe rundll32.exe PID 2100 wrote to memory of 2140 2100 rundll32.exe mssecsvc.exe PID 2100 wrote to memory of 2140 2100 rundll32.exe mssecsvc.exe PID 2100 wrote to memory of 2140 2100 rundll32.exe mssecsvc.exe PID 2100 wrote to memory of 2140 2100 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab80bc09ea8609ec530cbde89ec7d29c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ab80bc09ea8609ec530cbde89ec7d29c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2140 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2504
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2624
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD56e857c346a88919885c2367388fb2679
SHA11f5b50bee927e494bdb05f3124507cccca79e303
SHA25666f59db3bdf0b7f1e2cad74295c1e92d99b835e5d861216e627ef6d93e97970e
SHA5124594963d06a0c0317dee821344d7b28873c2db25769011e306df046955f5f6e1191cec18fb6187cd71ac9d0d4b862a9e41df0c19e405b18461238a3b5615b55b
-
Filesize
3.4MB
MD55853b99636d6ce48af34af781d6be42d
SHA1d80cd9ead851c85324ca9bc4e36d4e3d712c22e3
SHA25676e85f8521adf3cc03420d65b0c2b170f40bb7fbb2fe7c2e723100b37e2c3370
SHA512d041b87adc8ecdcdd4e9aea22f470d933fa5448d6fde461d6f072f17e4f97dfb97ea563bc9e70fe480480b285a0c9a33ca843574df5c0d2957201c8af16f741b