Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 05:55
Static task
static1
Behavioral task
behavioral1
Sample
ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ad143d855ed6fe12573a7b09efd6ee5b
-
SHA1
52f74369c47090ff862a28af995ed32feb942c05
-
SHA256
6c16edaca2f239d81cdf8209fdd224471960bf458dbba23c44f19fe86d716e7c
-
SHA512
beb64b9d37d043a21cab369f62ee52f0531e9eb71b742d7e9438d704485533f685ac3109376cff76b1559a3ba4814a9ce708be079fa37787056b0c9181e34204
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SASdhvxWa9P593R8sJ:TDqPe1Cxcxk3ZASUadzR8s
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2670) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2956 mssecsvc.exe 2644 mssecsvc.exe 2572 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00aa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-32-83-09-e1-3f\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538}\96-32-83-09-e1-3f mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-32-83-09-e1-3f\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538}\WpadDecisionTime = 502a1abae8beda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-32-83-09-e1-3f mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{285CEA55-DED8-4E9A-915A-2BD2A0D69538}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-32-83-09-e1-3f\WpadDecisionTime = 502a1abae8beda01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2180 wrote to memory of 848 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 848 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 848 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 848 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 848 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 848 2180 rundll32.exe rundll32.exe PID 2180 wrote to memory of 848 2180 rundll32.exe rundll32.exe PID 848 wrote to memory of 2956 848 rundll32.exe mssecsvc.exe PID 848 wrote to memory of 2956 848 rundll32.exe mssecsvc.exe PID 848 wrote to memory of 2956 848 rundll32.exe mssecsvc.exe PID 848 wrote to memory of 2956 848 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad143d855ed6fe12573a7b09efd6ee5b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:848 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2956 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2572
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5478a30349e40d90f90f54e5e440e7265
SHA137cb981546d53825323cd39f952f06fb7d110a27
SHA256834390249a1c816b43be8f7049c3b9e288f918f375b484a936c834de5f9078a5
SHA51225580efcf94bbcf7e0ced87c9a362620013d0f322d433810c1d52cc12bdfc538eaffb84d97ee00ccf8dc6580e7bdc6d63ca68398797a29427849c206bf32945a
-
Filesize
3.4MB
MD50cb6eddf35473a5904a2b56bd391efec
SHA18111594e887e972bed1d9c3ab08fd324dcc4deaa
SHA256f9d55d230e908a6005593b0941840fffb83475ef69014ba20e81dea56309fd42
SHA51286627a974f9bade1222792ec978ae51c0de5571db66627e06a4d9fde5e100d4e3d267aaa9c1544a18793c8d55147bb603a31872df478dd238a547f32eb808e6a