Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03-05-2024 04:32
Static task
static1
Behavioral task
behavioral1
Sample
0fadb975887f58eb432387e86f0465b2_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0fadb975887f58eb432387e86f0465b2_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
0fadb975887f58eb432387e86f0465b2_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
0fadb975887f58eb432387e86f0465b2
-
SHA1
fbf5d8d2759305b15891657f6b60fd53b2d09d34
-
SHA256
60816bcab52669039f9f35dfefaf114279832402aa81f481df7b203ac989c081
-
SHA512
e710407fbaf5c43236113d6a764d783204c58bac764cf2b6e9b90045d23ff077b258fadbb37fec5aa040aeaa5a3ef4d17d69fe1be2c78355d10e8154652b1b64
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P59UcryAVkE:+DqPe1Cxcxk3ZAEUad7yck
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3348) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2044 mssecsvc.exe 2360 mssecsvc.exe 2964 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ca000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{61FEF2CF-EC11-42B0-A4D0-54A158FEB0C5}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-4c-b8-61-3c-b7\WpadDecisionTime = 802abbf9129dda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{61FEF2CF-EC11-42B0-A4D0-54A158FEB0C5}\WpadDecisionTime = 802abbf9129dda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{61FEF2CF-EC11-42B0-A4D0-54A158FEB0C5} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{61FEF2CF-EC11-42B0-A4D0-54A158FEB0C5}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{61FEF2CF-EC11-42B0-A4D0-54A158FEB0C5}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{61FEF2CF-EC11-42B0-A4D0-54A158FEB0C5}\62-4c-b8-61-3c-b7 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-4c-b8-61-3c-b7\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-4c-b8-61-3c-b7\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-4c-b8-61-3c-b7 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2204 wrote to memory of 2424 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2424 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2424 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2424 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2424 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2424 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2424 2204 rundll32.exe rundll32.exe PID 2424 wrote to memory of 2044 2424 rundll32.exe mssecsvc.exe PID 2424 wrote to memory of 2044 2424 rundll32.exe mssecsvc.exe PID 2424 wrote to memory of 2044 2424 rundll32.exe mssecsvc.exe PID 2424 wrote to memory of 2044 2424 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fadb975887f58eb432387e86f0465b2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0fadb975887f58eb432387e86f0465b2_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2044 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2964
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD507c498015f8a58ae9fd908f0e2978ae6
SHA1d6de1f561d588b030af47809e68fb5ed94abc3e2
SHA256e609de4cdb55b4d289a466474d0eea0bd03ddbf0b36d81276c41c3221df7aaa6
SHA512a5c5b501c09942a0dc4bbf03d3b3367a11fbb6d45e8b10e866783431a3e9fa4918481b5d983e03f2c154e2a3dfc70e348a3e4569f357611c857c81d6ed326930
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ea86acbf644340f8f693b7303892e167
SHA12805dc547a9452f0811f7d76bd2b9b7f451368ca
SHA256ece0fea375cbc8e065b12bedd8e17b04c91955037825b483e24b94cbc1ffd465
SHA5126c6fbfdb4fc234031e9088e28a50e29971b85a68d852f9312ca0b792b700610290cbf887d2d717be5c689898d100e689cbabb3ae486abea6a8bdd688a8a27bf7