Analysis
-
max time kernel
1050s -
max time network
1050s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
01-05-2024 16:20
Static task
static1
Behavioral task
behavioral1
Sample
0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
0c2beaa248280dae60f79a8a09da0bea
-
SHA1
74b12baca9783de659de89d5db019b20149fa132
-
SHA256
5a92c9540048d3f1e82fabe39847de099a3433e9e54e57067ad9a8e5b357efa1
-
SHA512
4ce7cc15a380d34033a73e17ac49193a05a763106cc7f119687d47ed42017843f56ed3cd4d17594c0c3fd4e7b97e7c268a507fed7612df36f882b920c4be3616
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhpfCfLf:TDqPoBhz1aRxcSUDk36SAEdhUf
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (23648) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2252 mssecsvc.exe 2540 mssecsvc.exe 2516 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34447DAD-C7FA-4577-89CC-D35CA78B8802}\WpadDecisionTime = e0ef3e86e39bda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34447DAD-C7FA-4577-89CC-D35CA78B8802}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-44-50-e0-c3-aa mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-44-50-e0-c3-aa\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-44-50-e0-c3-aa\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0132000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34447DAD-C7FA-4577-89CC-D35CA78B8802}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34447DAD-C7FA-4577-89CC-D35CA78B8802}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34447DAD-C7FA-4577-89CC-D35CA78B8802}\de-44-50-e0-c3-aa mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{34447DAD-C7FA-4577-89CC-D35CA78B8802} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-44-50-e0-c3-aa\WpadDecisionTime = e0ef3e86e39bda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2860 wrote to memory of 2928 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2928 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2928 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2928 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2928 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2928 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2928 2860 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2252 2928 rundll32.exe mssecsvc.exe PID 2928 wrote to memory of 2252 2928 rundll32.exe mssecsvc.exe PID 2928 wrote to memory of 2252 2928 rundll32.exe mssecsvc.exe PID 2928 wrote to memory of 2252 2928 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0c2beaa248280dae60f79a8a09da0bea_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2252 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2516
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD594707536092fb8828badc0d3c5d15508
SHA1a9f2364d6691b23cea1752040b64872f5f600e50
SHA2568b7c5d74ae3a559b1976746fdff476ebf0d582a0ffd0558587587ac7dbfa4011
SHA512bf08e940b5a979303451b59f290a3db8051d772b44c9dca3f91a4425b1781282559a31a886aa4ca4d037d039a1c36bc8b7e05ecb0f5f1897453d4ae543f439c4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD573da17f53cb49be8d047046289cbb3ce
SHA1c25808c947bb6fbf2360f06047997af803b968d4
SHA2566188c7b048573bb745fdc04f2ef3723e250d9320ae06289e3a50094412535220
SHA512a8eda17180de9af6c7477e97a67f5b83322f9dafd4f40182f1485e4c1e7eedd7513c85e7cd18d8a3164690b3b34e205ca66cbd1c1698765c2067953f8a7cd313