Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 05:04
Static task
static1
Behavioral task
behavioral1
Sample
b1d879e25fa026cd0b3862adcd964992_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
b1d879e25fa026cd0b3862adcd964992_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b1d879e25fa026cd0b3862adcd964992_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b1d879e25fa026cd0b3862adcd964992
-
SHA1
a80c5fc70b88793bb3c4bb94d8645db478e26d23
-
SHA256
c0cced0362a874cb846f09d78c176da8312b2f86f1187c321a08b6736b68f156
-
SHA512
81858081624f42caa35f36ce2308cc509840fbde82fec8e43fd8525e025660094989e99fb73e2f6ed74ee198f1cc967400eed4e95c64682ba85566a3ce0ddeeb
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0KMEcaEau3:+DqPoBhz1aRxcSUDk36SAEdhvxW+93
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2670) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1964 mssecsvc.exe 2640 mssecsvc.exe 2676 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-27-2d-32-ba-d3\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-27-2d-32-ba-d3\WpadDecisionTime = e02995abaabfda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-27-2d-32-ba-d3\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F38CB632-1FA1-4A4D-ABFF-D12F6707007A}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F38CB632-1FA1-4A4D-ABFF-D12F6707007A}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F38CB632-1FA1-4A4D-ABFF-D12F6707007A}\8e-27-2d-32-ba-d3 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F38CB632-1FA1-4A4D-ABFF-D12F6707007A}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-27-2d-32-ba-d3 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F38CB632-1FA1-4A4D-ABFF-D12F6707007A} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F38CB632-1FA1-4A4D-ABFF-D12F6707007A}\WpadDecisionTime = e02995abaabfda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2936 wrote to memory of 2992 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2992 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2992 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2992 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2992 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2992 2936 rundll32.exe rundll32.exe PID 2936 wrote to memory of 2992 2936 rundll32.exe rundll32.exe PID 2992 wrote to memory of 1964 2992 rundll32.exe mssecsvc.exe PID 2992 wrote to memory of 1964 2992 rundll32.exe mssecsvc.exe PID 2992 wrote to memory of 1964 2992 rundll32.exe mssecsvc.exe PID 2992 wrote to memory of 1964 2992 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1d879e25fa026cd0b3862adcd964992_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b1d879e25fa026cd0b3862adcd964992_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1964 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2676
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD539d7b40d6386026039778cff5a623a8e
SHA157bbeb96100ece190d20735b10f94f28c859458f
SHA2566706c12bc92fe64f0146028e238e79dc97bdfcb3c6c7031e87dd944e117b5e7b
SHA5125e6fed967149e772cebe0397876386a8a5fd3feb699c999a5445b2b837db992d7c61ecd64e9e9103120e188169aff96bc72f60ee23ac6223a4f099f4efc33f89
-
Filesize
3.4MB
MD59b7c450aa958b5ff1cbb7a27574eb458
SHA134bc44a0102bf19c5073d55b439374df1c8ce154
SHA256b3dedf8e93459003ce839f6132cda2decfd7a9d746c33e4f3c3f8186a3d303ee
SHA512e4a5927ff803c70908def54067c28fa7ac42318a800f3b8839b30d7118e971b439a77783087e64d51a575b849bb417134cb1b4d35de90b34e86ad767985ed1b1