Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-06-2024 17:52
Static task
static1
Behavioral task
behavioral1
Sample
033f9150e241e7accecb60d849481871_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
033f9150e241e7accecb60d849481871_JaffaCakes118.dll
Resource
win10v2004-20240611-en
General
-
Target
033f9150e241e7accecb60d849481871_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
033f9150e241e7accecb60d849481871
-
SHA1
09067fd23539df1ece704a92b2dca8e32f20f7c8
-
SHA256
5013a9fc3766f0c065d44c9f6a6a8c0101811d7df4860dd50cf627a0d28ed007
-
SHA512
e08d2eb9edacbda6dfc7b2a153eaa7f38fe967876df28230e0cc88d3511d8f867f32314f49e761f402d1ff6f10fb411546ca549d855d9676992788670d512015
-
SSDEEP
98304:dDqPoBhz1aRxcSUZk36SAEdhvxWa9P593R8yAVp2H:dDqPe1Cxc7k3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2663) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2736 mssecsvc.exe 2436 mssecsvc.exe 2428 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F7821FD-AC83-4AB3-B942-EBFDAC83AC41} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F7821FD-AC83-4AB3-B942-EBFDAC83AC41}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F7821FD-AC83-4AB3-B942-EBFDAC83AC41}\WpadDecisionTime = 40bd7807cdc4da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F7821FD-AC83-4AB3-B942-EBFDAC83AC41}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-f3-aa-75-1f-a0 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-f3-aa-75-1f-a0\WpadDecisionTime = 40bd7807cdc4da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-f3-aa-75-1f-a0\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F7821FD-AC83-4AB3-B942-EBFDAC83AC41}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F7821FD-AC83-4AB3-B942-EBFDAC83AC41}\0e-f3-aa-75-1f-a0 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-f3-aa-75-1f-a0\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0025000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2400 wrote to memory of 2512 2400 rundll32.exe rundll32.exe PID 2400 wrote to memory of 2512 2400 rundll32.exe rundll32.exe PID 2400 wrote to memory of 2512 2400 rundll32.exe rundll32.exe PID 2400 wrote to memory of 2512 2400 rundll32.exe rundll32.exe PID 2400 wrote to memory of 2512 2400 rundll32.exe rundll32.exe PID 2400 wrote to memory of 2512 2400 rundll32.exe rundll32.exe PID 2400 wrote to memory of 2512 2400 rundll32.exe rundll32.exe PID 2512 wrote to memory of 2736 2512 rundll32.exe mssecsvc.exe PID 2512 wrote to memory of 2736 2512 rundll32.exe mssecsvc.exe PID 2512 wrote to memory of 2736 2512 rundll32.exe mssecsvc.exe PID 2512 wrote to memory of 2736 2512 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\033f9150e241e7accecb60d849481871_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\033f9150e241e7accecb60d849481871_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2736 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2428
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2436
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5272d02d9694b6108ce0cb93be8af8f16
SHA16e34070d194e33e9eef908f71e6cc597d3283f5d
SHA25679f1263d4f4c1c3fcb3698f6ebb2214999e4fc462cc15f5fe9f366c1e44d2bb8
SHA51262a7fa4c23e00e41cde6f00270eadc4e17c2b3fc40d5b11526c2791a2aab7f42aee637901c80226d6526c9c57c31b764ccf494b1301016b0111e460c6cd5dc75
-
Filesize
3.4MB
MD5c88722ef42a6ee08cbed91406ea5c0e5
SHA1643960f48a68ba0778621871f37389215642c423
SHA256efbc1542b29b798dbbeeb531bbb4b84d422843f9c66d3aff9f301ab9296d8b4c
SHA5125381f40e08c425f96cc8fe2c3e76c4440d39773889e5d137111441805b1786df5f5b38ed60c9461243f8fcb8078d68174c066695ab9b15a96ba5f6a348950f18