Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 07:12
Static task
static1
Behavioral task
behavioral1
Sample
ad45992cb43e2046e375822501519b5a_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad45992cb43e2046e375822501519b5a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
ad45992cb43e2046e375822501519b5a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ad45992cb43e2046e375822501519b5a
-
SHA1
bcb0e897c806cdc8c150bc3e0d861d8409fbcdad
-
SHA256
56642eea5aba32106c2a63a6ecdf08c694cbd6840417e7d6ad8b9b828499a576
-
SHA512
6b6d6122851c1a8c45aa69ae649e0653b26a46d9a68089db1555ff6a52b7229e175bfd52b56adfaaf1915c0a9590cdfca40239ffc5924ccb72039f38e6f0e97f
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAVR8yAH1plAH:+DqPoBhz1aRxcSUDk36SA0R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3285) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2724 mssecsvc.exe 2600 mssecsvc.exe 2072 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{36EC3C1A-7BFC-4A7C-86AB-76501282B231}\WpadDecisionTime = 5026105ef3beda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{36EC3C1A-7BFC-4A7C-86AB-76501282B231}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{36EC3C1A-7BFC-4A7C-86AB-76501282B231}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-f1-cc-31-d2-df\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-f1-cc-31-d2-df\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-f1-cc-31-d2-df\WpadDecisionTime = 5026105ef3beda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{36EC3C1A-7BFC-4A7C-86AB-76501282B231} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{36EC3C1A-7BFC-4A7C-86AB-76501282B231}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{36EC3C1A-7BFC-4A7C-86AB-76501282B231}\52-f1-cc-31-d2-df mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-f1-cc-31-d2-df mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2440 wrote to memory of 2636 2440 rundll32.exe rundll32.exe PID 2440 wrote to memory of 2636 2440 rundll32.exe rundll32.exe PID 2440 wrote to memory of 2636 2440 rundll32.exe rundll32.exe PID 2440 wrote to memory of 2636 2440 rundll32.exe rundll32.exe PID 2440 wrote to memory of 2636 2440 rundll32.exe rundll32.exe PID 2440 wrote to memory of 2636 2440 rundll32.exe rundll32.exe PID 2440 wrote to memory of 2636 2440 rundll32.exe rundll32.exe PID 2636 wrote to memory of 2724 2636 rundll32.exe mssecsvc.exe PID 2636 wrote to memory of 2724 2636 rundll32.exe mssecsvc.exe PID 2636 wrote to memory of 2724 2636 rundll32.exe mssecsvc.exe PID 2636 wrote to memory of 2724 2636 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad45992cb43e2046e375822501519b5a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad45992cb43e2046e375822501519b5a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2724 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2072
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2600
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5b7de0e3d563ed16a13549c10904db556
SHA13e07aa72f32f1f4e57c1350f47cad8aba7472d6f
SHA2561fb6c222ec5f4c80fafb22deec5046d9341ec5757d8d253376a21af0c03f2a92
SHA5121130d04e763726b3e6a723f07720d4ac4c087cd9911d914d9dd14772d8ff8b25008dd5ea742763fa45fecfaae2cd38da5ff397f0e75c2043a33a4af48c674794
-
Filesize
3.4MB
MD534254469a1eeea38c6afd1a98bec0495
SHA1946e0608b9804cd0aad52c5ee2f71a9aae358967
SHA256c2371619ab716c65d3f05f82b85b144dbf1f4928cc1ed23963423c6267bd034a
SHA5125498b8f645c2ee922a50d5c229826d26af4ef8c4d39ed9675fa903e66609e0413ccd2d1a3b36eeb8fb886bd7de56e2172377d62a3de9ffde373b2d5a38fc4cf8