Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 00:35
Static task
static1
Behavioral task
behavioral1
Sample
089d39d2d97f5fa30023de208e8ddac8_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
089d39d2d97f5fa30023de208e8ddac8_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
089d39d2d97f5fa30023de208e8ddac8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
089d39d2d97f5fa30023de208e8ddac8
-
SHA1
ab03eb1c1504b794576a2ff458bf10386e697bff
-
SHA256
6c2f7aea20e57f9952db32d9aa0170050bde7c32593f8eaaa7d8ab554dada844
-
SHA512
b5e941a0f69809cf4ddfa10cbb9083e983d7dcea533fd5347437dd452a6b80b0e80acb47844b48cac6ef0d07b63bee5556c0af7f6ebe399cfac81f62ea829cbe
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa982H:+DqPe1Cxcxk3ZAEUaNH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3320) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1064 mssecsvc.exe 2208 mssecsvc.exe 2560 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{56FC3A2C-2FE4-44C5-83F1-B67E13CEB319} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{56FC3A2C-2FE4-44C5-83F1-B67E13CEB319}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{56FC3A2C-2FE4-44C5-83F1-B67E13CEB319}\b6-0e-14-f1-05-98 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{56FC3A2C-2FE4-44C5-83F1-B67E13CEB319}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-0e-14-f1-05-98\WpadDecisionTime = e00c335f969ada01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{56FC3A2C-2FE4-44C5-83F1-B67E13CEB319}\WpadDecisionTime = e00c335f969ada01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{56FC3A2C-2FE4-44C5-83F1-B67E13CEB319}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-0e-14-f1-05-98 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-0e-14-f1-05-98\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b6-0e-14-f1-05-98\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 952 wrote to memory of 2216 952 rundll32.exe rundll32.exe PID 952 wrote to memory of 2216 952 rundll32.exe rundll32.exe PID 952 wrote to memory of 2216 952 rundll32.exe rundll32.exe PID 952 wrote to memory of 2216 952 rundll32.exe rundll32.exe PID 952 wrote to memory of 2216 952 rundll32.exe rundll32.exe PID 952 wrote to memory of 2216 952 rundll32.exe rundll32.exe PID 952 wrote to memory of 2216 952 rundll32.exe rundll32.exe PID 2216 wrote to memory of 1064 2216 rundll32.exe mssecsvc.exe PID 2216 wrote to memory of 1064 2216 rundll32.exe mssecsvc.exe PID 2216 wrote to memory of 1064 2216 rundll32.exe mssecsvc.exe PID 2216 wrote to memory of 1064 2216 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\089d39d2d97f5fa30023de208e8ddac8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\089d39d2d97f5fa30023de208e8ddac8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1064 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2560
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50e479d64fcd09a50725ede61b09aa2a9
SHA1a339c28e81d113808155f67cd85a745a41d659ed
SHA256778a5525fcf685a1f05d2944540a145f420b1f27a8c54816fea13a0ba128d18f
SHA512687443fec47b2986779e1e14adec1ce346351f1512eae2598bab770d622d00c136e8ca8eede0cf31067ab223ea4e1682b2bd9b4409d008c1380e391713c3b560
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5377cb7090244bcd916441c9dd7908ea1
SHA13d0bc6a91afb95b2495a1574cb907a6dd9b03a3c
SHA2562d258f30eae5f7d2215ce48e005cd61d19f334c5fab5f83e4f6a190b61497046
SHA512f27084352ce38b43939e410affcd188cc5ccc6c48df30b62329fdf5dc2a2ce2439dbebb7e0d88403195f370a9e3307b6b378e8d7b314ee4575cd8410349c6855