Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 18:36
Static task
static1
Behavioral task
behavioral1
Sample
afce4024d50fb1ddd4050f7822a89dc6_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
afce4024d50fb1ddd4050f7822a89dc6_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
afce4024d50fb1ddd4050f7822a89dc6_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
afce4024d50fb1ddd4050f7822a89dc6
-
SHA1
434718ed8962d74765e296177eb9df1fb4e5231d
-
SHA256
e26fb8cb9a68760bfc1d11a46353b2cc60d5e8a6ec05c0e66cdc1d103bb273ee
-
SHA512
002da99e2a40d1b6a277b7111df841cf2b5b6bc08ca1ef4f1ea2377c5838ffd9c142e98e2f61e8142a5b62bea3ceecf934406324e0c5b10b890446f57e2122c0
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAd593R8yAVp2H:TDqPe1Cxcxk3ZAdzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3194) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2072 mssecsvc.exe 1884 mssecsvc.exe 1236 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-a7-b3-49-09-f6\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-a7-b3-49-09-f6\WpadDecisionTime = 60f88dee52bfda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3C6DBAA-3E27-41F0-BC06-E85420196CAE} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3C6DBAA-3E27-41F0-BC06-E85420196CAE}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0105000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3C6DBAA-3E27-41F0-BC06-E85420196CAE}\WpadDecisionTime = 60f88dee52bfda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3C6DBAA-3E27-41F0-BC06-E85420196CAE}\0a-a7-b3-49-09-f6 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-a7-b3-49-09-f6 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-a7-b3-49-09-f6\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3C6DBAA-3E27-41F0-BC06-E85420196CAE}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C3C6DBAA-3E27-41F0-BC06-E85420196CAE}\WpadNetworkName = "Network 2" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2148 wrote to memory of 2164 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2164 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2164 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2164 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2164 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2164 2148 rundll32.exe rundll32.exe PID 2148 wrote to memory of 2164 2148 rundll32.exe rundll32.exe PID 2164 wrote to memory of 2072 2164 rundll32.exe mssecsvc.exe PID 2164 wrote to memory of 2072 2164 rundll32.exe mssecsvc.exe PID 2164 wrote to memory of 2072 2164 rundll32.exe mssecsvc.exe PID 2164 wrote to memory of 2072 2164 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\afce4024d50fb1ddd4050f7822a89dc6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\afce4024d50fb1ddd4050f7822a89dc6_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2072 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1236
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1884
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD525d75192ff35864f849b3f4a8837365d
SHA19bbacf2758c9bb57761f05a3a2fb090269056429
SHA25632e176c5ede6aafcfda4cf28c3c6bb3975863a61606bf379ddc296c347bac402
SHA512aa578b082fef36a632af3a988a6fef59a4f83a9619e85019431cbcbfd6c9af60623f67953b95c642d63f3150e5a081bfeb9375c52795083d63a5bb272297e514
-
Filesize
3.4MB
MD58ed1724a90dce0e228f1f38fb9ec17a3
SHA15e43f87e0ef231c4ff8f46f5ccdcdeec0b285380
SHA256f86bea510f55a64b9b5ce0277e506c8434f3ba7d8682d77a3f34d97705dc575b
SHA512b4cbf0a8fcb18a85127b739db02ae42360bbb3b72f971dbd9f0e3034370a62ec53daf0591d77d64653ce475de703c7b0924f2a4d4ebbd9aab8b63d94ed826ab0