Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 10:22
Static task
static1
Behavioral task
behavioral1
Sample
03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
03096422415d2c4c983d39eb6b290145
-
SHA1
97f3e8e2eee42c0016e4483ed291cac4aab1fce7
-
SHA256
4d29758ba37b2e04b17ced84f9662b2afe2ea2a0253c344fa2ae2cc519812abf
-
SHA512
77ae845aa662d8f9ecdee86fda1002ebbf5c851580a1365e01d385f87a25f5e2dff471645a426779ffe0002a1196165bffcb1a6b0a38e1a463993a6188a95c96
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3315) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1888 mssecsvc.exe 2464 mssecsvc.exe 2612 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-64-7e-e2-70-ca mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-64-7e-e2-70-ca\WpadDecisionTime = 409579e18c98da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{059C0EE3-4216-4428-B4BF-2730C7C9FB29} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-64-7e-e2-70-ca\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{059C0EE3-4216-4428-B4BF-2730C7C9FB29}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0079000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{059C0EE3-4216-4428-B4BF-2730C7C9FB29}\8a-64-7e-e2-70-ca mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{059C0EE3-4216-4428-B4BF-2730C7C9FB29}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{059C0EE3-4216-4428-B4BF-2730C7C9FB29}\WpadDecisionTime = 409579e18c98da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{059C0EE3-4216-4428-B4BF-2730C7C9FB29}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-64-7e-e2-70-ca\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2292 wrote to memory of 1500 2292 rundll32.exe rundll32.exe PID 2292 wrote to memory of 1500 2292 rundll32.exe rundll32.exe PID 2292 wrote to memory of 1500 2292 rundll32.exe rundll32.exe PID 2292 wrote to memory of 1500 2292 rundll32.exe rundll32.exe PID 2292 wrote to memory of 1500 2292 rundll32.exe rundll32.exe PID 2292 wrote to memory of 1500 2292 rundll32.exe rundll32.exe PID 2292 wrote to memory of 1500 2292 rundll32.exe rundll32.exe PID 1500 wrote to memory of 1888 1500 rundll32.exe mssecsvc.exe PID 1500 wrote to memory of 1888 1500 rundll32.exe mssecsvc.exe PID 1500 wrote to memory of 1888 1500 rundll32.exe mssecsvc.exe PID 1500 wrote to memory of 1888 1500 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\03096422415d2c4c983d39eb6b290145_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1888 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2612
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2464
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5963c866614ab00596a3a335e0ea85f53
SHA19a3e2f950acb6b8cc1b44d4c254d4c4f0668a944
SHA25616ebb03232914b826b48b00c8231ed80fa83fbe6e76afc864c55e33d47b94181
SHA512942976c5c6ffee5d0cb80a2f10d531a3daebf9e51fc8f8e8c7886aef8012ceed9d6cd9cd92a1920c81555b87e970d122734bb09558a5e7259c2f983c3771f06d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD549ebfd1f74d61f1addfd4a03ae277198
SHA164981e9feef4244c7d5b583cf8caa0043327e1c4
SHA2567428842afbd1d547e28a861d9c00704ea0d9e891140666ae1867766d96f63559
SHA5128679a4ad2ef64b32bf13c57a9957e069acd44a95c09f755a0d25281b0dfdd89eb18ba8fb53efa49f9035c0a5eecde4c2ffcfd7093186d23b0fb07dca25394222