Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 06:45
Static task
static1
Behavioral task
behavioral1
Sample
02a8195f910cc2dfe3331ccf63db5468_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
02a8195f910cc2dfe3331ccf63db5468_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
02a8195f910cc2dfe3331ccf63db5468_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
02a8195f910cc2dfe3331ccf63db5468
-
SHA1
fb458441192c77a3c0b00d3240ba8c3ae04f2bd3
-
SHA256
137f11d29d5e48d945858906be536f238b153b63d2b523604606a328de4aad7d
-
SHA512
8fc1d6830cfefc2e33d7856def82f97a050f2289fb7079f8aa086089963739a3390d5b55bcf0e2c59c056078aa09dc901244e1fc35493e88f6bafce28180cfe4
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdN:SnAQqMSPbcBVQej/1IN
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3294) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2160 mssecsvc.exe 2580 mssecsvc.exe 2744 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-37-05-af-96-7d mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08}\0e-37-05-af-96-7d mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-37-05-af-96-7d\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-37-05-af-96-7d\WpadDecisionTime = f01b9d8c6e98da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08}\WpadDecisionTime = f01b9d8c6e98da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-37-05-af-96-7d\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2084 wrote to memory of 2216 2084 rundll32.exe rundll32.exe PID 2084 wrote to memory of 2216 2084 rundll32.exe rundll32.exe PID 2084 wrote to memory of 2216 2084 rundll32.exe rundll32.exe PID 2084 wrote to memory of 2216 2084 rundll32.exe rundll32.exe PID 2084 wrote to memory of 2216 2084 rundll32.exe rundll32.exe PID 2084 wrote to memory of 2216 2084 rundll32.exe rundll32.exe PID 2084 wrote to memory of 2216 2084 rundll32.exe rundll32.exe PID 2216 wrote to memory of 2160 2216 rundll32.exe mssecsvc.exe PID 2216 wrote to memory of 2160 2216 rundll32.exe mssecsvc.exe PID 2216 wrote to memory of 2160 2216 rundll32.exe mssecsvc.exe PID 2216 wrote to memory of 2160 2216 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\02a8195f910cc2dfe3331ccf63db5468_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\02a8195f910cc2dfe3331ccf63db5468_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57214186c98a598187160e02a7e0f6f8a
SHA1892e6a36feefd43f9bb25616090960aecf841208
SHA25628956bf87e2c8fc1428c11e80734c3e7f1f1ca26acd8f6f4ad7a7bddca614395
SHA51284b701ed11c5a5adda81068cb08a65af7b5b4d0449c7df1c37590ef89308bcf8518f5d7f7ccbf243c50f207e731eb5ebd55b5f9169027e0dfda21539c56bde20
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD560d0cfb6e2b2168e44f27da0015c137e
SHA111a8bc5167616598bdb0d00bdc70af133ce82e23
SHA256f3e4a74deed043624aff3142d14fec27f034fc5e0b780316d01f7f21bf88a204
SHA512c26496dea4a56cc10b6fa984756b8f22e41fe802098fad85f402b2ca09688845e4da104161f7ff2efb6b62006d26f659ae367aed5da523e324358b73801e491e