Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 02:38
Static task
static1
Behavioral task
behavioral1
Sample
b15e71b5a031527708989dfae13bc628_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b15e71b5a031527708989dfae13bc628_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b15e71b5a031527708989dfae13bc628_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b15e71b5a031527708989dfae13bc628
-
SHA1
968f15028490863d26fc18d13067c098420f9f37
-
SHA256
008e95f1485ce1bc0d4aab8b67cb8ee25f01b0d5d5d8503f7c062be97133786a
-
SHA512
6d87a3fd962af7ee3557db33cdf6fa491c4ec13aded99b5b75a53b5eaee477f17b4f06a981bfcbde3286d75184c56b9e166f6f67573e532aea5b07a9a6007536
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9ONuE:+DqPe1Cxcxk3ZAEUa
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3172) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2936 mssecsvc.exe 2608 mssecsvc.exe 2676 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0133000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C6FE3111-72D3-4E81-BC07-5764E5CEA9F9}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C6FE3111-72D3-4E81-BC07-5764E5CEA9F9}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C6FE3111-72D3-4E81-BC07-5764E5CEA9F9}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-80-35-cf-03-a3\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C6FE3111-72D3-4E81-BC07-5764E5CEA9F9} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-80-35-cf-03-a3\WpadDecisionTime = b0cce75996bfda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C6FE3111-72D3-4E81-BC07-5764E5CEA9F9}\WpadDecisionTime = b0cce75996bfda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-80-35-cf-03-a3 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C6FE3111-72D3-4E81-BC07-5764E5CEA9F9}\ba-80-35-cf-03-a3 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-80-35-cf-03-a3\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 2100 wrote to memory of 1656 2100 rundll32.exe rundll32.exe PID 1656 wrote to memory of 2936 1656 rundll32.exe mssecsvc.exe PID 1656 wrote to memory of 2936 1656 rundll32.exe mssecsvc.exe PID 1656 wrote to memory of 2936 1656 rundll32.exe mssecsvc.exe PID 1656 wrote to memory of 2936 1656 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b15e71b5a031527708989dfae13bc628_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b15e71b5a031527708989dfae13bc628_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2936 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2676
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD59cf00d9e192bab8f38daaa780492400a
SHA1489951fddc8df27d10a4d0c7d5cc463fb7f41ff6
SHA2565f2fc4508b53dd5afde0a841c04557a8f1f6a97be08d06f4b48a0396f1aa4c8b
SHA512445faf1802925561e07665748da9cc44a34add4d19f04e09cb269b85f169bada47f39d4952e1e3cdabaad767569b3a56377537572e7215055a231f907bc3192b
-
Filesize
3.4MB
MD574a5f72a542da4d1acd1aa303e2869e9
SHA19a50a3e43a1f46c66684e29b69e80a6052201995
SHA256540002fbb56b070bcc4525299713a740d58c469b4201f963866702332a04f2c9
SHA5120ed70f97d14b4eb2dc4cb3567ddd5d902fe355f89589a32942819cf89e935bc94cc984b7cd6266c2e82de3f919932e88abb3e8c76277e63ba00730aa73f14d5f