Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 16:54
Static task
static1
Behavioral task
behavioral1
Sample
af6f6a5074b46216c322964b72f1def4_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
af6f6a5074b46216c322964b72f1def4_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
af6f6a5074b46216c322964b72f1def4_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
af6f6a5074b46216c322964b72f1def4
-
SHA1
da3b3628ce94c206129934f2bb62705001192760
-
SHA256
056711fcd000139ea3c4f68ab7bf037d6b9e17364921434d809dac41df02375f
-
SHA512
0d3e140aa158c7f6272a8e737977705d3eb2de664158a344353ede8b33395c9d03177ce760b99b9796fb73f8fe369b6a19c5c24c6a3b698d6e039910e045cf67
-
SSDEEP
98304:+7qPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp:+7qPe1Cxcxk3ZAEUadzR8yc
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2663) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2000 mssecsvc.exe 2488 mssecsvc.exe 1896 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}\9a-15-cb-b8-8e-a5 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-15-cb-b8-8e-a5\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-15-cb-b8-8e-a5\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-15-cb-b8-8e-a5\WpadDecisionTime = 50069bb044bfda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-15-cb-b8-8e-a5 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}\WpadDecisionTime = 50069bb044bfda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{170BA265-AA41-41B0-AEFD-E19A4027BC91}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1936 wrote to memory of 1684 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1684 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1684 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1684 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1684 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1684 1936 rundll32.exe rundll32.exe PID 1936 wrote to memory of 1684 1936 rundll32.exe rundll32.exe PID 1684 wrote to memory of 2000 1684 rundll32.exe mssecsvc.exe PID 1684 wrote to memory of 2000 1684 rundll32.exe mssecsvc.exe PID 1684 wrote to memory of 2000 1684 rundll32.exe mssecsvc.exe PID 1684 wrote to memory of 2000 1684 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af6f6a5074b46216c322964b72f1def4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\af6f6a5074b46216c322964b72f1def4_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2000 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1896
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD51cbe480310f9bc9ccfe4292e0fadbecf
SHA1f534ec78b37c0b4385ecf8329aee3fb38283c2e8
SHA2561762ee3efcb40c091d7df8d8c0b0a4b255d2bc45e41e3f3c16278adc44af7647
SHA51275ddcd063c3fb341b2363a668a1f7933bdd7f7d31fa5b69163c2f0c797318802aa18fd448143ef32023b18085cd44b9250ebd6a6b002af3fec98019a21e5457f
-
Filesize
3.4MB
MD5a30252e529176999fc14a8c7ae2fd66f
SHA19f2e9910b290b01786fd89baef5449879bc9a182
SHA2565081fc16a09228c4bb6d0985f9172614d588d6098420119043b63455f910a33f
SHA51240fc6dcc69e983802515735a9ccc067ad0f6cec4033a226c2da913c193f0e2a9b12e4152b06b61417d394b99ddce3b8b98fdf605f1fbdebf67717eca5def2b25