Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 08:46
Static task
static1
Behavioral task
behavioral1
Sample
ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ad9a429162ba44c3e9a67f961c6cf772
-
SHA1
7f1889d024d276c8f5b89858cdcb86603ed27b4f
-
SHA256
5ac61f72e937a61eb969759f64a5a4060153dc315d5deadfd2d2d84f109bbd79
-
SHA512
6ab21a2005d0db99e3cb0bf329d0edeb9b798de23acb1b7be065881f4eb7a2aba038a3079f51ef20e7e8e6cb4ba4f1a6f9307c4bda4ddc78c779a58da5acb8ff
-
SSDEEP
49152:SnAQqMSPbcBVzAMEcaEau3R8yAH1plAH:+DqPoB5593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3216) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2032 mssecsvc.exe 2568 mssecsvc.exe 2744 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0118000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-e4-f0-2f-e0-05 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-e4-f0-2f-e0-05\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9DBF1C2-A267-4BDF-BC41-36009C6F337A}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9DBF1C2-A267-4BDF-BC41-36009C6F337A}\WpadDecisionTime = 8090a48600bfda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9DBF1C2-A267-4BDF-BC41-36009C6F337A} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9DBF1C2-A267-4BDF-BC41-36009C6F337A}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9DBF1C2-A267-4BDF-BC41-36009C6F337A}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9DBF1C2-A267-4BDF-BC41-36009C6F337A}\fa-e4-f0-2f-e0-05 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-e4-f0-2f-e0-05\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-e4-f0-2f-e0-05\WpadDecisionTime = 8090a48600bfda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2840 wrote to memory of 1744 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 1744 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 1744 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 1744 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 1744 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 1744 2840 rundll32.exe rundll32.exe PID 2840 wrote to memory of 1744 2840 rundll32.exe rundll32.exe PID 1744 wrote to memory of 2032 1744 rundll32.exe mssecsvc.exe PID 1744 wrote to memory of 2032 1744 rundll32.exe mssecsvc.exe PID 1744 wrote to memory of 2032 1744 rundll32.exe mssecsvc.exe PID 1744 wrote to memory of 2032 1744 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ad9a429162ba44c3e9a67f961c6cf772_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2744
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c4981707b52e51df0841f0476894d6db
SHA1f62d2fa3ed07c86d3f7643ce2bfe6bbda050d151
SHA256e44250667e1f107a2425402b355171c19fe63b0b0de625ed952234c31e0fe262
SHA5123d7e7d714f03a657eb2a1c34a7cfbab6a6bc811dac5a4d8cd60ac57f36726c188c0ab662b1e22e662a107576d105ed518405a1b795023a72f6bdaebdcc9486c4
-
Filesize
3.4MB
MD5846bb9842a13355a8398ca894e8d00c1
SHA1a2eb535c89fd44a3fcaa2b2e4ad51b6227717aed
SHA256241dbd92f8dee3168efd05fdb6c3402129fa9701d032f98974febc1e2980166b
SHA51284b6c141b8ad61c27f7ce2f6837dd129629371568107e0d132d2a72cedc8506147dfe8ed63b9c98607aefbb0d4e876fe2aeb47508ec49d6a0b798389afcb183b