Analysis
-
max time kernel
129s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 04:39
Static task
static1
Behavioral task
behavioral1
Sample
b1c22e18d7e3f126ba7692efe3092ffa_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b1c22e18d7e3f126ba7692efe3092ffa_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
b1c22e18d7e3f126ba7692efe3092ffa_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b1c22e18d7e3f126ba7692efe3092ffa
-
SHA1
8c945e136757b2a8cb889bdce0fdfdfbe6582504
-
SHA256
d8ca9921e14601f55d5d0aa81bf47ff2850531697ce50862a4c9489184a71768
-
SHA512
f7e1cfcfb39b20f2acc978916584a5b84cf56163d31c964dd403b9f4ecfa5753b3c2c316a57f9fdf20f7f07ba4dcadc6f3deea613a54a6e5c0001c5aaa2fe872
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7:zbLgddQhfdmMSirYbcMNge
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3115) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2692 mssecsvc.exe 2748 mssecsvc.exe 2708 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC2E391A-4286-4C02-90F2-0E7FC3EA7136} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC2E391A-4286-4C02-90F2-0E7FC3EA7136}\WpadDecisionTime = 2093c52fa7bfda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC2E391A-4286-4C02-90F2-0E7FC3EA7136}\b6-7c-36-87-bc-21 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC2E391A-4286-4C02-90F2-0E7FC3EA7136}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC2E391A-4286-4C02-90F2-0E7FC3EA7136}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC2E391A-4286-4C02-90F2-0E7FC3EA7136}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-7c-36-87-bc-21 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-7c-36-87-bc-21\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-7c-36-87-bc-21\WpadDecisionTime = 2093c52fa7bfda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-7c-36-87-bc-21\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2228 wrote to memory of 2080 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2080 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2080 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2080 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2080 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2080 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2080 2228 rundll32.exe rundll32.exe PID 2080 wrote to memory of 2692 2080 rundll32.exe mssecsvc.exe PID 2080 wrote to memory of 2692 2080 rundll32.exe mssecsvc.exe PID 2080 wrote to memory of 2692 2080 rundll32.exe mssecsvc.exe PID 2080 wrote to memory of 2692 2080 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1c22e18d7e3f126ba7692efe3092ffa_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1c22e18d7e3f126ba7692efe3092ffa_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2692 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2708
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD57f64fbc4ff36d8b483dee7393a75038f
SHA1aaab184e716ef1e4e6307af3bf41de2933abee03
SHA25656dd97957b6e2af0c5ae0f6766a6fa1eea221f86acd78af8e0948ce05324ee04
SHA5125561982bdaa4075b9feabc1d8846392b315a26f1f4e2857bbd45ed4ec5f154672c6ee9a10e0205f767847d80b6105d67ab9d323f942d4416bcfe5e51800b30ed
-
Filesize
3.4MB
MD57d127b5927509092c87db2a5d433de3c
SHA110ee49743677f8cf3120b7ff6423a6288f06b8ff
SHA256cf57bdc54874f8541e54638f8c460b07fc48d8c79aef511c05260d77a5ec4bd9
SHA512e86e510e88496475cd2f1db74146c1266f314625cb2909043f38fba2f1625b1d1a1127ca8dc4b27858dbd6403b149c5e16cf897c5ddda91dd347376613fa2b6a