Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 19:08
Static task
static1
Behavioral task
behavioral1
Sample
afec3cf286a0196baefc26749e251633_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
afec3cf286a0196baefc26749e251633_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
afec3cf286a0196baefc26749e251633_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
afec3cf286a0196baefc26749e251633
-
SHA1
857996bcb6caa1f144cf55e4a6301a4d03ec6c2e
-
SHA256
287d1a9d07d61252fafc01a21aca6dc59f610e21dc4c87d54a6ec93b9b37fbeb
-
SHA512
a5103e4c114524f5b1bdcc6e08e60354e1a923ce0aee7d150b4407b258746861cc9c22de0a912ba0cb9897a86476f0e9528c8645f08bdac242724966c7e7c63b
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9k593R8yAVp2H:TDqPe1Cxcxk3ZAEUaGzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3348) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1632 mssecsvc.exe 1732 mssecsvc.exe 2708 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69\WpadDecisionTime = 20d9aa6357bfda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0037000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadDecisionTime = 20d9aa6357bfda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\1e-54-26-97-c6-69 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2312 wrote to memory of 1672 2312 rundll32.exe rundll32.exe PID 2312 wrote to memory of 1672 2312 rundll32.exe rundll32.exe PID 2312 wrote to memory of 1672 2312 rundll32.exe rundll32.exe PID 2312 wrote to memory of 1672 2312 rundll32.exe rundll32.exe PID 2312 wrote to memory of 1672 2312 rundll32.exe rundll32.exe PID 2312 wrote to memory of 1672 2312 rundll32.exe rundll32.exe PID 2312 wrote to memory of 1672 2312 rundll32.exe rundll32.exe PID 1672 wrote to memory of 1632 1672 rundll32.exe mssecsvc.exe PID 1672 wrote to memory of 1632 1672 rundll32.exe mssecsvc.exe PID 1672 wrote to memory of 1632 1672 rundll32.exe mssecsvc.exe PID 1672 wrote to memory of 1632 1672 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\afec3cf286a0196baefc26749e251633_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\afec3cf286a0196baefc26749e251633_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1632 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2708
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD54fa562dbc3a05f6bdbe56b67cc7ac49b
SHA1e90443d3c9c7bb8585253e71317114f83657d8b2
SHA25692cc0c41fab577f0a440435e8a8af963af0ee305580df02bf1294bf7750adbff
SHA51239c834a917e36a144bf6ff494605342dcb1d46e710057e7b055563353025add9d40a7c4e880a55f2cd7ccebf037c06b3738d19b449f37b604a84876d4cd6db59
-
Filesize
3.4MB
MD5bc2a13d72a2ceaa472ea9a09c1f71aba
SHA181b6bad5ee461426af7d83f221c9f0d513ba8042
SHA256430ac01177e466e8e0a89b38aaff56ec311a596a39be0553d051a1b9246c90d6
SHA5120e7a8f09c606b72f6b042cddaa9def46b54998782137d407273fb7654ecf2ac78dd2aeb4558fefe3ea50a7343b05b5dbed345b75c10c52d9d524fbe89a135cb8