Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 22:57
Static task
static1
Behavioral task
behavioral1
Sample
b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b08b35744e52a38a52f0c8a8d34a003a
-
SHA1
5cdb0d30ebe0979185e78f88c2503b8df9564a52
-
SHA256
8244770d31ed59a1d757dde65a2bfa0cdac088e7f11d57f99100cee47aac7f46
-
SHA512
6f7697f1ca88ed106ff8cb8961ca535894f0b9ae4b68e16390a8cb6487844d24a44898bcd62849f77785ae47175ae2e6d90bd3f40c91e32cf2c66dfbeea7398d
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P59cyAVp2H:TDqPe1Cxcxk3ZAEUadYyc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3134) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2736 mssecsvc.exe 2712 mssecsvc.exe 2420 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DEC5CDA-76F1-4186-93F3-081B63244F6F} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DEC5CDA-76F1-4186-93F3-081B63244F6F}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-4e-66-2e-99-92\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-4e-66-2e-99-92 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DEC5CDA-76F1-4186-93F3-081B63244F6F}\96-4e-66-2e-99-92 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-4e-66-2e-99-92\WpadDecisionTime = 7005ee5b77bfda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DEC5CDA-76F1-4186-93F3-081B63244F6F}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-4e-66-2e-99-92\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DEC5CDA-76F1-4186-93F3-081B63244F6F}\WpadDecisionTime = 7005ee5b77bfda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2DEC5CDA-76F1-4186-93F3-081B63244F6F}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2156 wrote to memory of 2816 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 2816 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 2816 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 2816 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 2816 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 2816 2156 rundll32.exe rundll32.exe PID 2156 wrote to memory of 2816 2156 rundll32.exe rundll32.exe PID 2816 wrote to memory of 2736 2816 rundll32.exe mssecsvc.exe PID 2816 wrote to memory of 2736 2816 rundll32.exe mssecsvc.exe PID 2816 wrote to memory of 2736 2816 rundll32.exe mssecsvc.exe PID 2816 wrote to memory of 2736 2816 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b08b35744e52a38a52f0c8a8d34a003a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2736 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2420
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5f427eb980d9d212790d2c82e2de16f04
SHA12a535ca6a301cabce28e4571f3247a307c85a85c
SHA2566bdb3786bf861522359386d2cc5d017e0e06e1fe5cbd1f1be43eee24f3def897
SHA51207482258f76f238dc7afe9f1f77913daf10f6f89ad5243b0e1d6751da8b857604e097effea1dcbebaca6f0028bc2edbe71bcc53787a7fc8c0a01ccbf6bc793c7
-
Filesize
3.4MB
MD57888f1f4e712ba42b2c5e6f02422b7ba
SHA1e71c10b85284f572620705e530b6aba644f3732d
SHA2568995cf65e9f0630a66a405507271f7f42b6c1cf59b9c17e0fd6608857736cd59
SHA51211373e6954032dc0b6576613368ec7ef6a26fdb8f4c73b7a5ecc15ad889ff90926c0ef1c0e89f4f3e6d400f6b2146c75f89f8715c896fe4cfc932bf8a5b30f43