Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 21:22
Static task
static1
Behavioral task
behavioral1
Sample
b02604ec920bc250d015b843b84efa97_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b02604ec920bc250d015b843b84efa97_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b02604ec920bc250d015b843b84efa97_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b02604ec920bc250d015b843b84efa97
-
SHA1
0accc7366352882fa66443481323b24bff982e26
-
SHA256
2ce28a0df8beb5504ff1769d1b5f57bffd18bcb8cd39669649e445c6a60bf31a
-
SHA512
3606714c94cc1ca0524a912af8ffc8cc86f5e5e57d71f88f299ce1c1b6a6d9c59e3b31904431461d9fe4cae4e7c536a3b3a3ac3e261afba65dc93cf4b450444a
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVpi:TDqPe1Cxcxk3ZAEUadzR8ycA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3207) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2208 mssecsvc.exe 2784 mssecsvc.exe 2684 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{127D41F4-8ED5-49D8-87E8-4A16086AD70F}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-98-87-75-04-e4\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-98-87-75-04-e4 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{127D41F4-8ED5-49D8-87E8-4A16086AD70F}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{127D41F4-8ED5-49D8-87E8-4A16086AD70F}\WpadDecisionTime = b048a1236abfda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f017c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{127D41F4-8ED5-49D8-87E8-4A16086AD70F} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{127D41F4-8ED5-49D8-87E8-4A16086AD70F}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{127D41F4-8ED5-49D8-87E8-4A16086AD70F}\b6-98-87-75-04-e4 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-98-87-75-04-e4\WpadDecisionTime = b048a1236abfda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-98-87-75-04-e4\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2108 wrote to memory of 2396 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2396 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2396 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2396 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2396 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2396 2108 rundll32.exe rundll32.exe PID 2108 wrote to memory of 2396 2108 rundll32.exe rundll32.exe PID 2396 wrote to memory of 2208 2396 rundll32.exe mssecsvc.exe PID 2396 wrote to memory of 2208 2396 rundll32.exe mssecsvc.exe PID 2396 wrote to memory of 2208 2396 rundll32.exe mssecsvc.exe PID 2396 wrote to memory of 2208 2396 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b02604ec920bc250d015b843b84efa97_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b02604ec920bc250d015b843b84efa97_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2208 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2684
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2784
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD54a83f302968101a9c12410ef1c647a59
SHA18b6f7a682b2f92214a3553ee8899e8c4e0f8c869
SHA25654d13721eabf71260fe1ef7da52d7c6c31f1598cea0b5baaca30778ba1a81469
SHA512632960c704797501f9e3878c2c25f1b026f8d24d7726c658614ec29e16e51a7c5e01c9cbf45fb651efe16ded7a94ba82eecbbce5645552ffb1f13d8ee4dac0fd
-
Filesize
3.4MB
MD54b275268b9ed8e597853780e369416de
SHA1a21a488bc6781ceb82701f25445a4b8cf718053c
SHA25699bad35d9f3552a51b0fefbfb90f75f13fc62bdfcfb1de1283650228ed482640
SHA512ff1f7af56ccd85086f85805b4072b23fe2ad0cd6170c4af45da8f98d26dda151d5a6b4d0c944d47a65290404b532ca035bd7879b65f43db57faa1ebc860034f4