Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 12:32
Static task
static1
Behavioral task
behavioral1
Sample
ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ae71e9ba6e85f9c40b52b2c467b4131c
-
SHA1
93eea8186db083b07e1919bf02e9f1830140683e
-
SHA256
8e051501bdc76a807f6f9fac9c35e0486cfe569387e83cc02db8f457831f7f41
-
SHA512
96d37b967f79faeae1b955472bd730a279c530db07d96af282f278a23946dc71321015b90a513290992211b809daafd80a25746b164e480280e3ecba22dfc414
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTtW9bXZROAx:+DqPoBhz1aRxcSUtW9J
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3128) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2420 mssecsvc.exe 1752 mssecsvc.exe 2656 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{28A7898B-DD39-48E6-B702-532AB5158F2D}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-d8-f7-ae-5d-38\WpadDecisionTime = 0066d90920bfda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-d8-f7-ae-5d-38\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{28A7898B-DD39-48E6-B702-532AB5158F2D}\WpadDecisionTime = 0066d90920bfda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{28A7898B-DD39-48E6-B702-532AB5158F2D}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-d8-f7-ae-5d-38 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{28A7898B-DD39-48E6-B702-532AB5158F2D}\92-d8-f7-ae-5d-38 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{28A7898B-DD39-48E6-B702-532AB5158F2D}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-d8-f7-ae-5d-38\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{28A7898B-DD39-48E6-B702-532AB5158F2D} mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2160 wrote to memory of 1076 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 1076 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 1076 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 1076 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 1076 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 1076 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 1076 2160 rundll32.exe rundll32.exe PID 1076 wrote to memory of 2420 1076 rundll32.exe mssecsvc.exe PID 1076 wrote to memory of 2420 1076 rundll32.exe mssecsvc.exe PID 1076 wrote to memory of 2420 1076 rundll32.exe mssecsvc.exe PID 1076 wrote to memory of 2420 1076 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ae71e9ba6e85f9c40b52b2c467b4131c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2420 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2656
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1752
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c401944ecf7a4e179776ab6a3361a9de
SHA1a0f35b374147ad559581e80c9cdab73f8d466068
SHA2567ad8f33638095c9fdbf19cf76298fa6b289f7e8b54020b02da0e45f417183aae
SHA5120d2e969b33769d303e36ff3a1ac67c4a1b4a7062eef0d694bf634964b45c7d81171b7e2246bbf3380a61d9f4c205e116ca56706fd365e9fa82ca5a29a51e66a0
-
Filesize
3.4MB
MD52d0034f3b51564e3351da23b48b02f4b
SHA1ff13439259e915e5f5cc59d0bd80b6c9e590d69b
SHA2564a4ffa6740649ff9b369b398ae9af3e0dc0fcce97b3c98ee3379f1d41fff168f
SHA51264561222ad29783ae540bb49e7fc9156f648f59bc822de6d68199834ed8332c68296a61b90f8abdcc6bb5872d5edbc2f1498a401ca64a66892d42b46ffbf29df