Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 13:32
Static task
static1
Behavioral task
behavioral1
Sample
0ea36bdad02e2c61549b71b05923cd65_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
0ea36bdad02e2c61549b71b05923cd65_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
0ea36bdad02e2c61549b71b05923cd65_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
0ea36bdad02e2c61549b71b05923cd65
-
SHA1
27481e4db4c2ba0636a9364ee5eac9c8030759f0
-
SHA256
289c9fcdb0b20438bdad52ba89075c3587d21c6f46d9705df4e1d8ce33d617cc
-
SHA512
2eb0ca1681096d4a5f7462ba28e9ae0fb26ba1d0a1a01afdfbed7b29278bce94be131da86f7217dab366314bde542a7abaa38a3245a48c556efda674283492bb
-
SSDEEP
12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXFO:SbLgddQhfdmMSirYbcMNgef0QeQjG
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3273) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1672 mssecsvc.exe 2740 mssecsvc.exe 2072 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-52-f3-de-d7-f3\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC6B1433-1661-4C64-9947-012EB7BD0820}\WpadDecisionTime = 20130429959cda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-52-f3-de-d7-f3\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC6B1433-1661-4C64-9947-012EB7BD0820}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-52-f3-de-d7-f3 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC6B1433-1661-4C64-9947-012EB7BD0820} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC6B1433-1661-4C64-9947-012EB7BD0820}\8a-52-f3-de-d7-f3 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC6B1433-1661-4C64-9947-012EB7BD0820}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BC6B1433-1661-4C64-9947-012EB7BD0820}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-52-f3-de-d7-f3\WpadDecisionTime = 20130429959cda01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2080 wrote to memory of 1668 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1668 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1668 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1668 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1668 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1668 2080 rundll32.exe rundll32.exe PID 2080 wrote to memory of 1668 2080 rundll32.exe rundll32.exe PID 1668 wrote to memory of 1672 1668 rundll32.exe mssecsvc.exe PID 1668 wrote to memory of 1672 1668 rundll32.exe mssecsvc.exe PID 1668 wrote to memory of 1672 1668 rundll32.exe mssecsvc.exe PID 1668 wrote to memory of 1672 1668 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ea36bdad02e2c61549b71b05923cd65_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0ea36bdad02e2c61549b71b05923cd65_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1672 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2072
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e2efa5233f98bbf7cdbae480edf9a418
SHA16e17d97c191bb1bfdeaf47976045a04537f5921b
SHA256ab97322754de25121e98f4b77b50e80a0e23ca595c1e997b2b164e08d504f3b9
SHA51295182f109e01b7814f1b4ab2cbe4fecb673cc033478b4d4fcc4a0182cca82d383779a87a3cddadc575a2bf1f3b7183e87a1c030ccc05c2afa8f1245f441df028
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a319565a0f8a96906744f76a2317986a
SHA135bd006d106f7df7e2782bb7c560fbc83f157359
SHA2563056d47d4fcd3d50ae29ea9bb991d86c40e946ba5e03ab95242cb1d0c8d49a48
SHA5124fd33176f184b8cc26bb9d31102de398bf93d5812b1a538035175f3f2d187e45310575d2b70cfe5d2f9afda48e47db1aafd5aea94a2531f8d476ace5f8d9599c