Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
0f31bd63c85f42b46f8b5c07f02147b0_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0f31bd63c85f42b46f8b5c07f02147b0_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
0f31bd63c85f42b46f8b5c07f02147b0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
0f31bd63c85f42b46f8b5c07f02147b0
-
SHA1
7e7d97b8aa93efeddce129b890ec1ca14eb88c02
-
SHA256
b7c7599d6304eaeb6a334de838938a36e4e306c0fd2562c64c9f9548a5c57c7c
-
SHA512
ea7abcf150c572a3e0a0e45b731556e9875c68e8ea9fadd3ae49fcde221a45503516c6ae414ac5fb4a4e8c69ef4b6cee74be698d29f3821c264442dcaf3bfe76
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef09G/D8kIqRYoAdNLKz6626M+vbOSSqTPVXmiHkQgz:SnAQqMSPbcBVU/1INRx+TSqTdX1HkQ
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3275) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2680 mssecsvc.exe 2688 mssecsvc.exe 2632 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86}\5e-5f-bb-a7-bd-40 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86}\WpadDecisionTime = 30486279ec9cda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-5f-bb-a7-bd-40\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-5f-bb-a7-bd-40 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-5f-bb-a7-bd-40\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-5f-bb-a7-bd-40\WpadDecisionTime = 30486279ec9cda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DDB8CC54-5585-4BD8-B797-FD0EDB683D86}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1968 wrote to memory of 1636 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1636 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1636 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1636 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1636 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1636 1968 rundll32.exe rundll32.exe PID 1968 wrote to memory of 1636 1968 rundll32.exe rundll32.exe PID 1636 wrote to memory of 2680 1636 rundll32.exe mssecsvc.exe PID 1636 wrote to memory of 2680 1636 rundll32.exe mssecsvc.exe PID 1636 wrote to memory of 2680 1636 rundll32.exe mssecsvc.exe PID 1636 wrote to memory of 2680 1636 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f31bd63c85f42b46f8b5c07f02147b0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0f31bd63c85f42b46f8b5c07f02147b0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2680 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2632
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58ea49a89d13b3382364cce359e44ac57
SHA16b79006e42806135603a7cb14b962ceaae2990ae
SHA256ae9dbdddfaca00ecacd763f9ecd891d7d54d2ddabb47f96eb1428621dfe1221c
SHA512ed7d43cbae9c5e29dedab993bff0321bc1bb1589dbd8b3574824ab250ce658a24f8ed32c9db91a97ce420b86001b14d3237f78411d337390a283c3a435fba184
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5022dd9f14f6bc11a6908e0fc5f69b04c
SHA1e3e5929ea51b65a399107e0112aea04e99a46bc4
SHA256d74ed543d3d9ad16a9a004b66419922eb76d71fc8b6938cfaf362a8e669f9e1d
SHA512e73ab5ab989af7f776adb1a6add787e2ebacfee724d5b45a7a1eaa64c2f0cde262226b1c9aefacde8698a5f5ac24db4a7d345e97cc4f560cd2575eeb67fe393c