Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-07-2024 17:24
Static task
static1
Behavioral task
behavioral1
Sample
4f53357da304a79b6cb55fd8de9a094c_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
4f53357da304a79b6cb55fd8de9a094c_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
4f53357da304a79b6cb55fd8de9a094c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
4f53357da304a79b6cb55fd8de9a094c
-
SHA1
9c5c47270b57100cb7b3b03684c4f284bca65454
-
SHA256
3ed9aa7e2e3eb4fa3b843e03a267f287cb6fa96e720f216e8c8dc51e0342dd3a
-
SHA512
d939fedd902bb1d8c279765edc825b3c5947d5bc45ec070840a9e9357bf46f28bef6f38c59549e9c77323c226bac0586002b7104403ee5295b7d240ce4c378d2
-
SSDEEP
12288:TQbLgmluyQhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXFy:MbLguVQhfdmMSirYbcMNgef0QeQjGZ
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2072) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 2 IoCs
Processes:
mssecsvr.exemssecsvr.exepid process 2392 mssecsvr.exe 316 mssecsvr.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvr.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvr.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvr.exedescription ioc process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvr.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A2448A5-ACE8-4665-BAFD-CF18ADC0F018}\WpadDecisionReason = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A2448A5-ACE8-4665-BAFD-CF18ADC0F018}\WpadNetworkName = "Network 3" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-f8-83-de-84-5f mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A2448A5-ACE8-4665-BAFD-CF18ADC0F018}\5a-f8-83-de-84-5f mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A2448A5-ACE8-4665-BAFD-CF18ADC0F018}\WpadDecision = "0" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-f8-83-de-84-5f\WpadDecision = "0" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-f8-83-de-84-5f\WpadDecisionTime = 60338704a5d7da01 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A2448A5-ACE8-4665-BAFD-CF18ADC0F018} mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1A2448A5-ACE8-4665-BAFD-CF18ADC0F018}\WpadDecisionTime = 60338704a5d7da01 mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-f8-83-de-84-5f\WpadDecisionReason = "1" mssecsvr.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1628 wrote to memory of 1676 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1676 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1676 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1676 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1676 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1676 1628 rundll32.exe rundll32.exe PID 1628 wrote to memory of 1676 1628 rundll32.exe rundll32.exe PID 1676 wrote to memory of 2392 1676 rundll32.exe mssecsvr.exe PID 1676 wrote to memory of 2392 1676 rundll32.exe mssecsvr.exe PID 1676 wrote to memory of 2392 1676 rundll32.exe mssecsvr.exe PID 1676 wrote to memory of 2392 1676 rundll32.exe mssecsvr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4f53357da304a79b6cb55fd8de9a094c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4f53357da304a79b6cb55fd8de9a094c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2392
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD527252ec19ef563b68c895c0cbfa9624e
SHA1bdf1ea9b2b018bd9cef77ce20f6d569ad2210c1a
SHA256daac74d376cdbcec144a430ed069c6776bf444491690e67af6e04495b32c7cdd
SHA51258abe6da32f3438197dc597bbc131024f7e2b371918b2159d046b039c2dce0b40ff6cdacaf4b80ee171cf6ac58f247d3d7a5b79cef30b537649b387939039e52