Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
b038fe3b829caf3fe7859062d9162395_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b038fe3b829caf3fe7859062d9162395_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
b038fe3b829caf3fe7859062d9162395_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b038fe3b829caf3fe7859062d9162395
-
SHA1
671f8f85a4cf4bb935c3106644f696d31058d36c
-
SHA256
56a84c68fdbbb62f8b30e56d144b6b4b9e352699983f135afb354fab64e25656
-
SHA512
d48f059a8c40c2a0faa7229a24c9b7ce31e0cd5f5da9972cad7579cb82154ec46bf6b1870a122a8871f2194a54ae5a8f55c784d02fd17723ae013d94ce2c3f90
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQ14kF2Y9g:znAQqMSPbcBVQe2dw
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2664) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1424 mssecsvc.exe 2672 mssecsvc.exe 2688 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f\WpadDecisionTime = 3070cd756cbfda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-74-31-ab-04-6f\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadDecisionTime = 3070cd756cbfda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2482B044-0850-481F-A3F7-4A6545A3C6AE}\36-74-31-ab-04-6f mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2824 wrote to memory of 2240 2824 rundll32.exe rundll32.exe PID 2824 wrote to memory of 2240 2824 rundll32.exe rundll32.exe PID 2824 wrote to memory of 2240 2824 rundll32.exe rundll32.exe PID 2824 wrote to memory of 2240 2824 rundll32.exe rundll32.exe PID 2824 wrote to memory of 2240 2824 rundll32.exe rundll32.exe PID 2824 wrote to memory of 2240 2824 rundll32.exe rundll32.exe PID 2824 wrote to memory of 2240 2824 rundll32.exe rundll32.exe PID 2240 wrote to memory of 1424 2240 rundll32.exe mssecsvc.exe PID 2240 wrote to memory of 1424 2240 rundll32.exe mssecsvc.exe PID 2240 wrote to memory of 1424 2240 rundll32.exe mssecsvc.exe PID 2240 wrote to memory of 1424 2240 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b038fe3b829caf3fe7859062d9162395_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b038fe3b829caf3fe7859062d9162395_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1424 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2688
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5652a70bb771fbd710a174b9fcdbd5109
SHA1bb1205e50bc6aee1d2ef17b8224b1dd3bf2ae455
SHA256fac660b921cc10907653b48b44f81ef2074a899e0ac5b2c537185362a4cf0f18
SHA51275bf75077c1e91dbbf20dcaad29eac25f0aa02e76be9468cb3d0ab77f3397f66a66a9de908879cada7203f5a0ab1b3ce717d9ca03ca3cf22ced475161fa3a77e
-
Filesize
3.4MB
MD5bc7fcce3ef434336c50d56a17ce7f80c
SHA13882f38175b0d7c6b1995d1e21282587393c17f2
SHA2562ea82a2769c6f4c963a22ebbd2f9c6cfdd3b6dc7912c30c1b7ca1447c6b8c3bc
SHA512d3149de4103f840d541d97c3825c1ee9b1fad65daa89d852292395c265c4b21fddd4b0820d2392c0bdac8d7395c53606bfda67332e37b5348e90e48dc492eb1a