Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 14:06
Static task
static1
Behavioral task
behavioral1
Sample
aec7e4e63a82a2265b11e904d66c95cf_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
aec7e4e63a82a2265b11e904d66c95cf_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
aec7e4e63a82a2265b11e904d66c95cf_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
aec7e4e63a82a2265b11e904d66c95cf
-
SHA1
16e07a6bc509a5e487a44bedb62917be30887d61
-
SHA256
c48a1ee3d2862d8d526ba9bb9e6c322a3334027cbac40a8bfd93d1bdca43a9a0
-
SHA512
0476f9d7e6606d1ee75a74c67fc888ee172de4bf87b1906b0367bcea4c948bea6bab3633ec90d0b762cc81fb2740301d1088671db2e0571bf579fc1766ecb797
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhhlAH:+DqPoBhz1aRxcSUDk36SAEdhh2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3337) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1724 mssecsvc.exe 2140 mssecsvc.exe 2896 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A11334D-E564-44E2-AAFD-D2CF91F19F06}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-b0-33-36-b2-65\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A11334D-E564-44E2-AAFD-D2CF91F19F06} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-b0-33-36-b2-65\WpadDecisionTime = e0a841352dbfda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f010f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-b0-33-36-b2-65\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A11334D-E564-44E2-AAFD-D2CF91F19F06}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A11334D-E564-44E2-AAFD-D2CF91F19F06}\WpadDecisionTime = e0a841352dbfda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A11334D-E564-44E2-AAFD-D2CF91F19F06}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-b0-33-36-b2-65 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A11334D-E564-44E2-AAFD-D2CF91F19F06}\42-b0-33-36-b2-65 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2088 wrote to memory of 2224 2088 rundll32.exe rundll32.exe PID 2088 wrote to memory of 2224 2088 rundll32.exe rundll32.exe PID 2088 wrote to memory of 2224 2088 rundll32.exe rundll32.exe PID 2088 wrote to memory of 2224 2088 rundll32.exe rundll32.exe PID 2088 wrote to memory of 2224 2088 rundll32.exe rundll32.exe PID 2088 wrote to memory of 2224 2088 rundll32.exe rundll32.exe PID 2088 wrote to memory of 2224 2088 rundll32.exe rundll32.exe PID 2224 wrote to memory of 1724 2224 rundll32.exe mssecsvc.exe PID 2224 wrote to memory of 1724 2224 rundll32.exe mssecsvc.exe PID 2224 wrote to memory of 1724 2224 rundll32.exe mssecsvc.exe PID 2224 wrote to memory of 1724 2224 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aec7e4e63a82a2265b11e904d66c95cf_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\aec7e4e63a82a2265b11e904d66c95cf_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1724 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2896
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2140
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD55bf3524f2b3f64901439ac3184417ad3
SHA1c1d26563775e249874a44082b58b7e3086693f77
SHA256283e6a5db3b53b2517960bfe73ae297167c0bcb4ba93b50505437996e5118c9d
SHA512f384a720c1d55758fa5c45208cc92b67d348c3453d089a812f116b13e14020cf8494396b571c1a8265bc463a364536a7e1b220935db3fdb2f813d60035c2c77b
-
Filesize
3.4MB
MD5045162d037abbfd8a8cdd87c63b9a174
SHA13250ceeb324e640c3c15a71cd7f162b026292d63
SHA256214bad046768948847a83128685249827a3190edca5beca1103fd84b741f88cb
SHA512fe8e92e7b648496ded6301e84911894ad2e3a7716ba7fb044c13ece2589f6dfae147529871e594b50e96e1b75928110e1bb7973debaf9eab23a28d9ef8ea742c