Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 01:47
Static task
static1
Behavioral task
behavioral1
Sample
112898647ce320efd2e9cf08cb164953_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
112898647ce320efd2e9cf08cb164953_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
112898647ce320efd2e9cf08cb164953_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
112898647ce320efd2e9cf08cb164953
-
SHA1
f81a19540c99c9c21592463de04c3de1d2830139
-
SHA256
214c15fada69dafc68f85eb37b8551f3d53da048eebfb6b8877203f6385d97e0
-
SHA512
49b25542c7dabafeadbbdbfb9dbc3d6464364b2c7180d1cb1cab8ebb0983578aba01cdd8cdd57ac502215cf6d479e46fc8bf5bc6cbf2c1a20ecd5e8209182dc6
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAABplA:+DqPoBhz1aRxcSUDk36SACp2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3299) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1932 mssecsvc.exe 2976 mssecsvc.exe 2820 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5606FAB3-C5C1-4190-BADE-BF3FBCCD10FF}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5606FAB3-C5C1-4190-BADE-BF3FBCCD10FF}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-eb-61-f9-8d-96\WpadDecisionTime = b0476612c59dda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5606FAB3-C5C1-4190-BADE-BF3FBCCD10FF} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-eb-61-f9-8d-96 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5606FAB3-C5C1-4190-BADE-BF3FBCCD10FF}\9a-eb-61-f9-8d-96 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5606FAB3-C5C1-4190-BADE-BF3FBCCD10FF}\WpadDecisionTime = b0476612c59dda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5606FAB3-C5C1-4190-BADE-BF3FBCCD10FF}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-eb-61-f9-8d-96\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-eb-61-f9-8d-96\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2932 wrote to memory of 1276 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 1276 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 1276 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 1276 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 1276 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 1276 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 1276 2932 rundll32.exe rundll32.exe PID 1276 wrote to memory of 1932 1276 rundll32.exe mssecsvc.exe PID 1276 wrote to memory of 1932 1276 rundll32.exe mssecsvc.exe PID 1276 wrote to memory of 1932 1276 rundll32.exe mssecsvc.exe PID 1276 wrote to memory of 1932 1276 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\112898647ce320efd2e9cf08cb164953_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\112898647ce320efd2e9cf08cb164953_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1932 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2820
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5228b6f8b99ea1d08e621908ab4b73bf5
SHA12f527c549a13ae017a91b0addbc77e70584a3a29
SHA256700713365799d6784ad7ebbcc8fb3f8dba75228a7eb2d706e4507a7269eed6d9
SHA5125c11c609d284a41250284ff465e5e3356b3edbd49b9a5ed6efd4cc6555c433f7ec80078f19e0c4c29da7722f00af9109a0dba9d529a88662e32253a8c648cfde
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5076ee29840e803007070be273aed3df3
SHA1d3c6b8c9415e4e2c77f73b8593e925e4b11dc221
SHA256ec29cd92443459a52e9305ee2a94bbe949f325b94bc73ce3e65a1813e055a614
SHA512d1c6d84a2ac80b995d915353df25f2dac9d4abaa33a77fb0676a2112d9a3b5652aaeaf797d3c98b76e3144fb8ce42f23a66290fa81a410c0439b7ee1bff161d6