Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 10:08
Static task
static1
Behavioral task
behavioral1
Sample
b2f17d000ec84280617f1b2d0c9acd03_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b2f17d000ec84280617f1b2d0c9acd03_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
b2f17d000ec84280617f1b2d0c9acd03_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b2f17d000ec84280617f1b2d0c9acd03
-
SHA1
6972b0feef439cdfae2a7b77de7c30d21c63064b
-
SHA256
c6a3250501aca122f8ada0a3d9b7586144a17ea89ff5730d2537b9a3942927ba
-
SHA512
5083fc7761d87a142a2216e29fdbb57c60cd17f9ddee7b3427eaf1ee526822464062dc763992486b3ba99d45c2d713ad879690f0f39b2774fb1ae301d5ef9405
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM:+DqPoBhz1aRxcSUDk36SAEdhvxW
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3341) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2328 mssecsvc.exe 2616 mssecsvc.exe 2604 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\WpadDecisionTime = 5060bd1bd5bfda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-6d-4b-d7-b9-1b\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-6d-4b-d7-b9-1b\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-6d-4b-d7-b9-1b mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-6d-4b-d7-b9-1b\WpadDecisionTime = 5060bd1bd5bfda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0043000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0CEEBF1F-2565-4A2C-82D1-C630D0E51D7F}\5e-6d-4b-d7-b9-1b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2244 wrote to memory of 2036 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2036 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2036 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2036 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2036 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2036 2244 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2036 2244 rundll32.exe rundll32.exe PID 2036 wrote to memory of 2328 2036 rundll32.exe mssecsvc.exe PID 2036 wrote to memory of 2328 2036 rundll32.exe mssecsvc.exe PID 2036 wrote to memory of 2328 2036 rundll32.exe mssecsvc.exe PID 2036 wrote to memory of 2328 2036 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b2f17d000ec84280617f1b2d0c9acd03_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b2f17d000ec84280617f1b2d0c9acd03_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2328 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2604
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD546f4cfb7f7f58d504a7c00827485cfb3
SHA11be4dbb360bc57c769a5af1b21c97d40d4af9450
SHA25600097cd13fec6bff5ba96e8a9b4c519bd2dc9d032a99217cf2b006553190e1dd
SHA5122d3b97f98b06f5b11aa2aa4279789f8f5bb21ee723db4a2de678a85cf3e5e40bf3cb1b404e9f0cefa4c185eca7fae889c8ae8cbad18d02adf4ccefcdb62372d7
-
Filesize
3.4MB
MD5d8f5582b163c409bfe9b7a9884260fae
SHA1a8a9f4a7d7fbc127ed5a64c1ae165506c38ffdaa
SHA25621a13187f4df8d4fd86d718e89f5226ed1fa62cdee010b459da3fbe4f8501786
SHA51242c10f5c46cd7f7990d5924c848c91c4c903f83c49860eba052215b7c9d854b532931af6fdbdc2f2052f0dc22479803407601779d4d40c9f05d769fad68ec36c