Resubmissions
16-06-2024 03:03
240616-dj43ssxblc 10Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 03:03
Static task
static1
Behavioral task
behavioral1
Sample
b1761d337705ff449e5559e97e125670_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b1761d337705ff449e5559e97e125670_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
b1761d337705ff449e5559e97e125670_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b1761d337705ff449e5559e97e125670
-
SHA1
55d2689d133802a68fb79cdb4db85a017a91986d
-
SHA256
9d33ac1ab2c888d415559679c344607099ce07e6ca68723d293e2f19a5f71e38
-
SHA512
6cc9d0fb7993205d035920ef7df28241cef47ef977c388b4f79bc1db02e1d90c325f98e5a384511a1ff4d4383caf621159f3582a5a39d98f61171698c7cbef5d
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAD9P593R8yAVp2H:TDqPe1Cxcxk3ZADdzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3171) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2360 mssecsvc.exe 2656 mssecsvc.exe 2784 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecisionTime = 602c7fc399bfda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecisionTime = 602c7fc399bfda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\76-01-0c-0e-65-4b mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3032 wrote to memory of 2144 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2144 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2144 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2144 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2144 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2144 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 2144 3032 rundll32.exe rundll32.exe PID 2144 wrote to memory of 2360 2144 rundll32.exe mssecsvc.exe PID 2144 wrote to memory of 2360 2144 rundll32.exe mssecsvc.exe PID 2144 wrote to memory of 2360 2144 rundll32.exe mssecsvc.exe PID 2144 wrote to memory of 2360 2144 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1761d337705ff449e5559e97e125670_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1761d337705ff449e5559e97e125670_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2360 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2784
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD580b975342a13c58d3fe7d7be24a93307
SHA1f1e9f87f2eb0e0a26f5654ecde6b2ec88556d655
SHA25688e82d0982d24a21149b58ad4a591eae18c16cfdd7e19158d6ad2d74924a227a
SHA5127f1bf3dcdea0a85a89d2edf6194df24df6d6d2b6cfe38b7909dc37593ef0a514450e0e93133bce0f1a792a808cd66e5ab0e4801eed31709be60c94d186999a91
-
Filesize
3.4MB
MD566f1695c50220eb3721124945c8c77f2
SHA196660f4cc1b20edaf78c212f84f6d35e75073e9c
SHA256c5dff97718c28e9194b31f3c86f457543ddb9fb58ea6119d4c7d61d697882541
SHA5122b75913910b5858fcc796f999b15b07e9843190f53c529b12d11385f4d2072c68bab29e70050d4a513785874ce8a2470a3fbd1738e6180f09136d3aab08167a7