Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
17-06-2024 01:08
Static task
static1
Behavioral task
behavioral1
Sample
b61a7de42bce5f5ba271c2798cba3deb_JaffaCakes118.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b61a7de42bce5f5ba271c2798cba3deb_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
b61a7de42bce5f5ba271c2798cba3deb_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
b61a7de42bce5f5ba271c2798cba3deb
-
SHA1
b2f2c9305182148c69bb41bb2aa8ad84cc8d806c
-
SHA256
376b1959b46f61a2e625f9ad968e18e65e09380300d1ced80270a4d9947b0cde
-
SHA512
04bff42326aeaefc33e4b62a91bd7aae5101b7a2f24f4f37f662d9d233af99ceb34423830fa97887a78ddceffda8be13acd643cf5d9ebaff4d34c2fe8ecbd2d5
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593H:TDqPe1Cxcxk3ZAEUadzH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3102) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2056 mssecsvc.exe 2596 mssecsvc.exe 2620 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{63767EEB-E6B5-459B-B370-46540194F13F}\1a-6d-3b-35-37-3c mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-6d-3b-35-37-3c\WpadDecisionTime = 704e82e352c0da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{63767EEB-E6B5-459B-B370-46540194F13F}\WpadDecisionTime = 704e82e352c0da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-6d-3b-35-37-3c\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-6d-3b-35-37-3c\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{63767EEB-E6B5-459B-B370-46540194F13F} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1a-6d-3b-35-37-3c mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{63767EEB-E6B5-459B-B370-46540194F13F}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{63767EEB-E6B5-459B-B370-46540194F13F}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{63767EEB-E6B5-459B-B370-46540194F13F}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2456 wrote to memory of 2232 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2232 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2232 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2232 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2232 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2232 2456 rundll32.exe rundll32.exe PID 2456 wrote to memory of 2232 2456 rundll32.exe rundll32.exe PID 2232 wrote to memory of 2056 2232 rundll32.exe mssecsvc.exe PID 2232 wrote to memory of 2056 2232 rundll32.exe mssecsvc.exe PID 2232 wrote to memory of 2056 2232 rundll32.exe mssecsvc.exe PID 2232 wrote to memory of 2056 2232 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b61a7de42bce5f5ba271c2798cba3deb_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b61a7de42bce5f5ba271c2798cba3deb_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2056 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2620
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5f93f6ccac08d3ff21e3c32c68f724738
SHA13bee4a1dc0065580a5210c319658d4195ca20d85
SHA2567482d4202ac7d7eea35b4a0f8d12af6e0b5551d63ebe780584f49f1ee6729c13
SHA51254fff2a937cc2a522d4a42ee061a24926ac83d141e2b6c479bf3c036c4065661f04bd744708a272e1c22b5ce28a4778b597ab90f7f216844f5499a067815243b
-
Filesize
3.4MB
MD5043235ff25f1ca885f2f7941649c1dc8
SHA18a403573e794e6bde261d1693bb3fae0b5b8a83d
SHA2565fe12b9573a0cb28cdc81f17d6aa1654ecd8319cdefb259b53283e81429df344
SHA51251cf2b55f333ab9308e5e4e53664763d7afbb437cac29f356d1441ce509516b841ca27eb781f65e760aee7a3a1ce66b21677699a7882a05d10d0a774d29e104f