Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-05-2024 15:35
Static task
static1
Behavioral task
behavioral1
Sample
0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
0c2beaa248280dae60f79a8a09da0bea
-
SHA1
74b12baca9783de659de89d5db019b20149fa132
-
SHA256
5a92c9540048d3f1e82fabe39847de099a3433e9e54e57067ad9a8e5b357efa1
-
SHA512
4ce7cc15a380d34033a73e17ac49193a05a763106cc7f119687d47ed42017843f56ed3cd4d17594c0c3fd4e7b97e7c268a507fed7612df36f882b920c4be3616
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhpfCfLf:TDqPoBhz1aRxcSUDk36SAEdhUf
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3281) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2244 mssecsvc.exe 2112 mssecsvc.exe 2584 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1915D363-BD41-4F60-8575-86BC34D86C7D} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1915D363-BD41-4F60-8575-86BC34D86C7D}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-25-84-32-d5\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1915D363-BD41-4F60-8575-86BC34D86C7D}\be-58-25-84-32-d5 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1915D363-BD41-4F60-8575-86BC34D86C7D}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-25-84-32-d5 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-25-84-32-d5\WpadDecisionTime = 30051439dd9bda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1915D363-BD41-4F60-8575-86BC34D86C7D}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1915D363-BD41-4F60-8575-86BC34D86C7D}\WpadDecisionTime = 30051439dd9bda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-58-25-84-32-d5\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2352 wrote to memory of 2236 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2236 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2236 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2236 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2236 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2236 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2236 2352 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2244 2236 rundll32.exe mssecsvc.exe PID 2236 wrote to memory of 2244 2236 rundll32.exe mssecsvc.exe PID 2236 wrote to memory of 2244 2236 rundll32.exe mssecsvc.exe PID 2236 wrote to memory of 2244 2236 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2244 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2584
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD594707536092fb8828badc0d3c5d15508
SHA1a9f2364d6691b23cea1752040b64872f5f600e50
SHA2568b7c5d74ae3a559b1976746fdff476ebf0d582a0ffd0558587587ac7dbfa4011
SHA512bf08e940b5a979303451b59f290a3db8051d772b44c9dca3f91a4425b1781282559a31a886aa4ca4d037d039a1c36bc8b7e05ecb0f5f1897453d4ae543f439c4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD573da17f53cb49be8d047046289cbb3ce
SHA1c25808c947bb6fbf2360f06047997af803b968d4
SHA2566188c7b048573bb745fdc04f2ef3723e250d9320ae06289e3a50094412535220
SHA512a8eda17180de9af6c7477e97a67f5b83322f9dafd4f40182f1485e4c1e7eedd7513c85e7cd18d8a3164690b3b34e205ca66cbd1c1698765c2067953f8a7cd313