Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 10:42
Static task
static1
Behavioral task
behavioral1
Sample
0e46a10cc2b091b22e1c34f4a45d4ece_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0e46a10cc2b091b22e1c34f4a45d4ece_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
0e46a10cc2b091b22e1c34f4a45d4ece_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
0e46a10cc2b091b22e1c34f4a45d4ece
-
SHA1
c975b7dca865b11a8bebe94dbc4b0582cb82bf95
-
SHA256
8ba1caeb6c834ffa35b6cf7875bbde3d9bc5b365ab325d2988f3a2c430536046
-
SHA512
edac02cc577199aaedb6674bf737cf4f262cfa1e7b3684bfaf49cd08371b40053491b48e17f8a2ff87a4d5fa6a9a0699ff69811fce2b7f1bd124636365b1c5d9
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLK:znAQqMSPbcBVQej/1IN
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3203) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2272 mssecsvc.exe 2700 mssecsvc.exe 2568 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-43-c9-72-9c-36\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}\7e-43-c9-72-9c-36 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-43-c9-72-9c-36\WpadDecisionTime = e06918667d9cda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}\WpadDecisionTime = e06918667d9cda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{69413D1D-559D-46FA-B8ED-7AE5A5DAC19E}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-43-c9-72-9c-36 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-43-c9-72-9c-36\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2196 wrote to memory of 3048 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 3048 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 3048 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 3048 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 3048 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 3048 2196 rundll32.exe rundll32.exe PID 2196 wrote to memory of 3048 2196 rundll32.exe rundll32.exe PID 3048 wrote to memory of 2272 3048 rundll32.exe mssecsvc.exe PID 3048 wrote to memory of 2272 3048 rundll32.exe mssecsvc.exe PID 3048 wrote to memory of 2272 3048 rundll32.exe mssecsvc.exe PID 3048 wrote to memory of 2272 3048 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e46a10cc2b091b22e1c34f4a45d4ece_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0e46a10cc2b091b22e1c34f4a45d4ece_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2272 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2568
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e8a4a145bebc1c9e13d57c8757c3c263
SHA1de8d37de2044a3adf025f5e52625daac5783a600
SHA256a9b1f67851abb542a99e382456fe4b28991d898ed40203df391544d7ea917b86
SHA5124b49622fa61c643fb837e56fe9a07593fa9f10a086fcdb8ec47dd7fe103f5c1b2983ee75bc185f255db1e53144457f8e6add68110d3fb17a09a5eaab57ca25a3
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD578177eb0fa6b0c24cfed2a8fe6c52be2
SHA10c0b4d3d9b00e7d225e785ee95967daee551bf31
SHA25665fec100385eea10e983c589a62857befa4b9b6f1270dc4dfcdbe1a9cb66195b
SHA512d35c4a70ecbe24d9e73b29c6269349f3a89941ee2e6cb8b663e1d85ef5730edef4557ac66c5d128ec1b28722122193b1fdd30b5c0219b244379b51db8a1a6d85