Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
03c083659265b8d8b5ba2cd0fcf53305_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
03c083659265b8d8b5ba2cd0fcf53305_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
03c083659265b8d8b5ba2cd0fcf53305_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
03c083659265b8d8b5ba2cd0fcf53305
-
SHA1
82796e2cc166c0afc0b9a7fce3171647b61662dd
-
SHA256
ae0ce95c707b06a3119b12561a152c9d0da4180d0cc63fcab0fc1592a6db95a0
-
SHA512
f4471156f83e834e9a3da8112f7aa24def78660519e8a158c646ea091f31740c45c80ff8c8ea2df4b28588e8a100917fba8754e99e50a67a6115652dff6f2eed
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAME:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3293) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1200 mssecsvc.exe 2668 mssecsvc.exe 2996 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}\WpadDecisionTime = 705481dbf098da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-f8-d9-9c-85-99 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-f8-d9-9c-85-99\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-f8-d9-9c-85-99\WpadDecisionTime = 705481dbf098da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fa000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}\16-f8-d9-9c-85-99 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\16-f8-d9-9c-85-99\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5F9B8F74-4AAE-48F7-8532-B5F1709EECD1}\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2120 wrote to memory of 1352 2120 rundll32.exe rundll32.exe PID 2120 wrote to memory of 1352 2120 rundll32.exe rundll32.exe PID 2120 wrote to memory of 1352 2120 rundll32.exe rundll32.exe PID 2120 wrote to memory of 1352 2120 rundll32.exe rundll32.exe PID 2120 wrote to memory of 1352 2120 rundll32.exe rundll32.exe PID 2120 wrote to memory of 1352 2120 rundll32.exe rundll32.exe PID 2120 wrote to memory of 1352 2120 rundll32.exe rundll32.exe PID 1352 wrote to memory of 1200 1352 rundll32.exe mssecsvc.exe PID 1352 wrote to memory of 1200 1352 rundll32.exe mssecsvc.exe PID 1352 wrote to memory of 1200 1352 rundll32.exe mssecsvc.exe PID 1352 wrote to memory of 1200 1352 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03c083659265b8d8b5ba2cd0fcf53305_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03c083659265b8d8b5ba2cd0fcf53305_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD574635b9cc0eaee4a49906a44c82c820d
SHA13e5c871df5dc29cffc58e613340e0903a95287e9
SHA2564ce0a9ad9b1069f76e45d80f2d52b7c87c1973a7079191a6e6750db651e2e2dc
SHA5125d1414063c31a7016ef2af9d17cec3fa7c9fb6ad28bcc473e951dfbea1ecff3879443fc416d0a7595109eee3f7efdb185f75b4887d06faff4acb2de2dfd1fdd7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50d29bde2befdfb72c424f7217f294043
SHA135120520cebd59083648aa18d1f3a193ad7365b7
SHA256ad591135ff110af6cc08f807e725887c29b6d10e28ee7844cafa5133fa488199
SHA5122f9f8d760acdfa64b566841b38cb7e1240f8e3b70c7a97ff9b63d4176c7fff0ce356eb48384518ed83a9f6fb407239d59ce9bcb0d910f66b9601f613087c4981