Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 23:26
Static task
static1
Behavioral task
behavioral1
Sample
14f4159fa3b21c3b19dc164d299f028f_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
14f4159fa3b21c3b19dc164d299f028f_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
14f4159fa3b21c3b19dc164d299f028f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
14f4159fa3b21c3b19dc164d299f028f
-
SHA1
a45ac9e4480155a904b1fe3694f1ba7f5b299e36
-
SHA256
a4eeb9a04193c9ffc59a58d6f83e988c0f88066ae7cd9d21e2eea1b46032d0f0
-
SHA512
6e6eebfa0ca7f496d17eed921bd4f17adc14265f0e756cd364c30bd696236b9b0e9e31b5a647cc69d8ff7b41f82a4c707b532fb354fa35d7dd6f0d3fcc94ba0a
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEd1SPl3R8yAVp2H:+DqPe1Cxcxk3ZAESR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3284) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1692 mssecsvc.exe 2484 mssecsvc.exe 2508 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67600140-557A-46D8-8EA8-DB0B52029A34}\WpadDecisionTime = 10e440807a9eda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-32-9f-40-50-8c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67600140-557A-46D8-8EA8-DB0B52029A34} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-32-9f-40-50-8c\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-32-9f-40-50-8c\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\b2-32-9f-40-50-8c\WpadDecisionTime = 10e440807a9eda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67600140-557A-46D8-8EA8-DB0B52029A34}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67600140-557A-46D8-8EA8-DB0B52029A34}\WpadNetworkName = "Network 2" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67600140-557A-46D8-8EA8-DB0B52029A34}\b2-32-9f-40-50-8c mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{67600140-557A-46D8-8EA8-DB0B52029A34}\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2992 wrote to memory of 868 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 868 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 868 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 868 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 868 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 868 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 868 2992 rundll32.exe rundll32.exe PID 868 wrote to memory of 1692 868 rundll32.exe mssecsvc.exe PID 868 wrote to memory of 1692 868 rundll32.exe mssecsvc.exe PID 868 wrote to memory of 1692 868 rundll32.exe mssecsvc.exe PID 868 wrote to memory of 1692 868 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\14f4159fa3b21c3b19dc164d299f028f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\14f4159fa3b21c3b19dc164d299f028f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:868 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1692 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2508
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2484
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e4c2e26d1495f98d5633720b75c9835f
SHA1f7a496d36fe1795dfef51521887c6a5866ef74fe
SHA256c01cb34dcdfe3cc283fc91b9ddfc3766d7c3bae3aabcff7fffb6dd6f11a708e6
SHA512dc0bfeb182cc3e270e04ec947205d26b0fa5be3aa436dd1d04d00e3071a0af1bfa94a83b69fca73e03f05bac52e535c3631640dd5a284f2479f8404b3e9521b9
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53f52585f62ee1604788397dc13f023aa
SHA1236413a32328b26e2b0ac4ece456470adb09bec5
SHA256c1b9cd4d80b5f36c6e5c5d5caae64fef11d1019dcaab561f59244fc07f79f612
SHA51263341ccb7a856be1611dd65cefe748a74f1cac7692da581946ef2de9f01798f721dc6f9438bc49038ff47073206ea68f5b765ce14039d37ec337dd9b4c59ba43