Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 14:14
Static task
static1
Behavioral task
behavioral1
Sample
67e4c40e171d9de8ee90763ad3b1ea96_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
67e4c40e171d9de8ee90763ad3b1ea96_JaffaCakes118.dll
Resource
win10v2004-20240709-en
General
-
Target
67e4c40e171d9de8ee90763ad3b1ea96_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
67e4c40e171d9de8ee90763ad3b1ea96
-
SHA1
758467d777fd49fbcdbd1a252221f23b7ad7004f
-
SHA256
1ec3e2414cfbfde6262c4860516eca5411a10992381d531750c7a1856c8714f5
-
SHA512
fcb3f222f75012e823f9cfe07243c245091be8fa8ac21eec50af9e55e24f162a6b99ed4b4cf5993a842e25067a6c9c399c5c8c21e27c2aba5dce1391820477bf
-
SSDEEP
49152:SnAQqMSPbcBVI/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBC1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3324) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3024 mssecsvc.exe 2916 mssecsvc.exe 2596 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4C3FF418-ACF9-4D11-B32C-198C44705BF7}\WpadDecisionTime = 0031879c0addda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4C3FF418-ACF9-4D11-B32C-198C44705BF7}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4C3FF418-ACF9-4D11-B32C-198C44705BF7}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-bd-69-fe-4b-53 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-bd-69-fe-4b-53\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4C3FF418-ACF9-4D11-B32C-198C44705BF7} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4C3FF418-ACF9-4D11-B32C-198C44705BF7}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-bd-69-fe-4b-53\WpadDecisionTime = 0031879c0addda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4C3FF418-ACF9-4D11-B32C-198C44705BF7}\46-bd-69-fe-4b-53 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-bd-69-fe-4b-53\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2880 wrote to memory of 2940 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2940 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2940 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2940 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2940 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2940 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2940 2880 rundll32.exe rundll32.exe PID 2940 wrote to memory of 3024 2940 rundll32.exe mssecsvc.exe PID 2940 wrote to memory of 3024 2940 rundll32.exe mssecsvc.exe PID 2940 wrote to memory of 3024 2940 rundll32.exe mssecsvc.exe PID 2940 wrote to memory of 3024 2940 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\67e4c40e171d9de8ee90763ad3b1ea96_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\67e4c40e171d9de8ee90763ad3b1ea96_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3024 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2596
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD53ec64b8581cdcc2c04c507a024c1420b
SHA1e8b5acd08cf06bb70d6ad3c83d883f7b2dfb2b4d
SHA256faa9d3ffecd9b6a0a44e9505b6ae04cb322128fd32842fedc400e3875513369c
SHA512533a97dfc1eab5c88e25f18e3a2c4b793de84adefcaefea9323d12ed0c690c5967890eca2d6968341c26323d2cfa3d517fe68cf84e9136934e6ace14109f17e9
-
Filesize
3.4MB
MD5bf99a876e20591c313195e392c508221
SHA19b77767175ea56123b3cdc5b1e83a984476542ab
SHA256436b4dce2c9839a0cdcf28b175d2b46598ce548dc080987487f62e50fa83dcb2
SHA512aece9efbbfe3741cd44cceb0318e0b332015fb98f96a7775a9ca72e6295624bc52fd14652a76bb139f382374f6edf09f8227be96ff8a89fd22197fa3cb0ae143