Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-04-2024 02:52
Static task
static1
Behavioral task
behavioral1
Sample
08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
08dc108f0734ca16b6d0b460cfa4d0c0
-
SHA1
124ad52c06bbdbbf8c24870dc934c95f72c6c05d
-
SHA256
278e4c2c8aac93dc902d29f7b28f631635615c9e2e8bf7211b476b36a763c8a4
-
SHA512
ef0858975a37c826c8203d37899f649542a8df27993a163817f7cc4c6c6c06c7a4527d00c224472e4403261c74f4dc4f31aa6164747ea2e597f1a5a81480b0cc
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6XEauR:+DqPoBhz1aRxcSUDk36+R
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3160) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2260 mssecsvc.exe 2616 mssecsvc.exe 2608 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0087000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecisionTime = 00288c67a99ada01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecisionTime = 00288c67a99ada01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\5a-7a-5e-ac-ac-3b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3024 wrote to memory of 3040 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 3040 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 3040 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 3040 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 3040 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 3040 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 3040 3024 rundll32.exe rundll32.exe PID 3040 wrote to memory of 2260 3040 rundll32.exe mssecsvc.exe PID 3040 wrote to memory of 2260 3040 rundll32.exe mssecsvc.exe PID 3040 wrote to memory of 2260 3040 rundll32.exe mssecsvc.exe PID 3040 wrote to memory of 2260 3040 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\08dc108f0734ca16b6d0b460cfa4d0c0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2260 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2608
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2616
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD514d4a723552be20b4693a0e745fe28cc
SHA1b6166ab202dfaa2846d6d0032d5b06d480b8029c
SHA2564c44aa0340082e2355e34c3c0c8bff4acb82a9c6e13d0648c49c7a1ad31cd5f1
SHA5127b338244fab55524a574424bd273f2baefe2939f6b64f90ed2ce8806a5437a54acd034eb1fb1c4dbd365612d89b03662bafccb7ddafb8d1b5e501ffab7e796a3
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5977d14687ac48449af995433ec634112
SHA17696e47f7277f883ed5279253d8d44983cd39642
SHA25614ad323ba4a71502781d82377c795d42e2f3ebf76c8a5a54c20ecaf7a5782afd
SHA51223de95bb9a49e2e876d818f79873deb48ea55e99ff2d3df61fab7e540a8d1b04ed4d03b2eb565aa14ddb7a1fe0abd1a2e911eb24948840e9a20fc4b026294ade