Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
b44224dc93972f90ffd34dd331d0c5ef_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
b44224dc93972f90ffd34dd331d0c5ef_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b44224dc93972f90ffd34dd331d0c5ef_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b44224dc93972f90ffd34dd331d0c5ef
-
SHA1
595e01adc188e91ea52423af38785e7bea6a4776
-
SHA256
57358f77e1adcd0c2f26f8f83f16f4878f8ee808b6c62a0346ac51bafae27a4c
-
SHA512
d58cea4569e6dd4b08502fed01593d19106f5ef606b81b1f4ba5f939db360b09420ee9f93f227cc539566e75b511e21ebf809855cda5aa02a6287b30f1c865d6
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0hASk+RdhAdmv1LJMfcH9PO6LLuYAME:SnAQqMSPbcBVhAARdhnvxJM0H9PAME
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3146) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2316 mssecsvc.exe 3028 mssecsvc.exe 376 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\ee-11-a7-3b-9b-9c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDecisionTime = 503ff1da02c0da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-11-a7-3b-9b-9c\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\WpadDecisionTime = 503ff1da02c0da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F14E5156-AE80-41FC-99BE-A6E391A9D977}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3060 wrote to memory of 1620 3060 rundll32.exe rundll32.exe PID 3060 wrote to memory of 1620 3060 rundll32.exe rundll32.exe PID 3060 wrote to memory of 1620 3060 rundll32.exe rundll32.exe PID 3060 wrote to memory of 1620 3060 rundll32.exe rundll32.exe PID 3060 wrote to memory of 1620 3060 rundll32.exe rundll32.exe PID 3060 wrote to memory of 1620 3060 rundll32.exe rundll32.exe PID 3060 wrote to memory of 1620 3060 rundll32.exe rundll32.exe PID 1620 wrote to memory of 2316 1620 rundll32.exe mssecsvc.exe PID 1620 wrote to memory of 2316 1620 rundll32.exe mssecsvc.exe PID 1620 wrote to memory of 2316 1620 rundll32.exe mssecsvc.exe PID 1620 wrote to memory of 2316 1620 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b44224dc93972f90ffd34dd331d0c5ef_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b44224dc93972f90ffd34dd331d0c5ef_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2316 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:376
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3028
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a33c0ed170e87c6ee6a55b16f85a1c42
SHA1afd116a01be2c1493e08a3542bd1948ebeba099e
SHA2568f1209fc66228953767e25ee6f85a106b3dc084452cb8fdea35cdda3bcef841f
SHA512d9b846b253896302ca898c17ad425f9a792569f484f53ae76a714d54a739677663d1b9881fae1276b639b7591472ff7f5385cefc033a00bdad81f206a045c621
-
Filesize
3.4MB
MD579315e93e1e587369c28c10c7440cdbb
SHA164dd3537307acc6c30590833b827ba92cf0b55b4
SHA2566660203d539eb99172bd694ed2384aa2e43809ec1e9c8d43da08cf4b0edcab93
SHA512775685a3c897a82c52209fa17e1390ba2cc1b6ed8d9f755233d2f2390e848fe581d9269663105e1c48323df2b26081d19c54bfa4ffc91bd559f4105ff3fbee49