Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 05:00
Static task
static1
Behavioral task
behavioral1
Sample
118eedee15f92a246867fed1e15bfda1_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
118eedee15f92a246867fed1e15bfda1_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
118eedee15f92a246867fed1e15bfda1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
118eedee15f92a246867fed1e15bfda1
-
SHA1
5ff90cf70d36d8be902e23bba87e9df6ccb3dad7
-
SHA256
27b656167ee5504bcd296075509bcbdb09b1aba52aec630ec84d23b0a2dbd90e
-
SHA512
7259fcad1c439c2b901203d1f35ed2569dfa6f0018b33c6710343cf731c0a7c09a6aa7a20b37fd57b393c536a3d399da37bc068a1a646f17350c68d959040c8b
-
SSDEEP
98304:TDqPoVl71kRYhEpykcTX+CXlvwr/cA3oYDRaMYwPQYYWr3oSEsWfhP:TDqP7
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3060) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2968 mssecsvc.exe 2152 mssecsvc.exe 2580 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0047000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadDecisionTime = b0a5310fe09dda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed\WpadDecisionTime = b0a5310fe09dda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\f6-49-19-7d-c6-ed mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\118eedee15f92a246867fed1e15bfda1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\118eedee15f92a246867fed1e15bfda1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2580
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5661fdd674e5b970bd6c16b79157dca7b
SHA14845c77b316f47a4a4451f49af0557bfcb9414c7
SHA256f7bc720a877190d678b5aed7c5f17c6a08ee44d3c7b81f8bf951dc309ed242d0
SHA512f6e2f9ca3bebf7913d20431fec77f557c1a23950b9001496fa99fd6d1a207cabbca2f0ab78d05c6c8ff5d2b35c49287edc01c797b4e557b0e45cecea32ea2083
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f7a6deedaa31614b07e5407e02404a77
SHA139396676c7c3b17737d3d54104e391c9b3980469
SHA256bc063fe618ebd42fd8750193a963f9296301f34d979dc0fd89624caf7bb5c3d0
SHA51293edd5f22678c76271f24d62aa3d7623294279f74d905a18c470c28ad6fe6262080f852daf8f6d328d9e2008688a346b738022429aae06cacbb9c5de46ab157a