Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-05-2024 15:27
Static task
static1
Behavioral task
behavioral1
Sample
13553875c752a890b91beb67609fd8d0_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
13553875c752a890b91beb67609fd8d0_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
13553875c752a890b91beb67609fd8d0_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
13553875c752a890b91beb67609fd8d0
-
SHA1
be9f95c524409691a6e793c40144515460e50101
-
SHA256
ffa8b67092e720d2dc0b83a88a5c83490b4ee19f962e960647bfc1534bb192ac
-
SHA512
f28d6c75ad09099c66e46777cf224ac9744125f83d3b946821c3a74417d457d0f7886c1cd72b1ba0420f18ddc19b09d9847df973011fb09fe499ca0c36bd6f90
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593RU:+DqPe1Cxcxk3ZAEUadzRU
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3210) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2428 mssecsvc.exe 2500 mssecsvc.exe 2708 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-df-f8-96-1a-a3\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-df-f8-96-1a-a3\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{19673D18-DAFA-4605-B56D-BC1802E9DA95}\WpadDecisionTime = e0c026a4379eda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-df-f8-96-1a-a3 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{19673D18-DAFA-4605-B56D-BC1802E9DA95}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{19673D18-DAFA-4605-B56D-BC1802E9DA95}\1e-df-f8-96-1a-a3 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0078000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{19673D18-DAFA-4605-B56D-BC1802E9DA95}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{19673D18-DAFA-4605-B56D-BC1802E9DA95}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-df-f8-96-1a-a3\WpadDecisionTime = e0c026a4379eda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{19673D18-DAFA-4605-B56D-BC1802E9DA95} mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2212 wrote to memory of 2228 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2228 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2228 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2228 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2228 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2228 2212 rundll32.exe rundll32.exe PID 2212 wrote to memory of 2228 2212 rundll32.exe rundll32.exe PID 2228 wrote to memory of 2428 2228 rundll32.exe mssecsvc.exe PID 2228 wrote to memory of 2428 2228 rundll32.exe mssecsvc.exe PID 2228 wrote to memory of 2428 2228 rundll32.exe mssecsvc.exe PID 2228 wrote to memory of 2428 2228 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13553875c752a890b91beb67609fd8d0_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\13553875c752a890b91beb67609fd8d0_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2708
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD52de61ce3c8b9b71e471b31bd67500f0f
SHA13cb1cbfa618542d542bdefbb86c0b5392753abd8
SHA256d26030304646d024e87868bec6cbe177d2fb2e1e583f564f5e626f04b47ba211
SHA512a58e5652c17c5d20a2f9264f421d6c90f582809439de9e4ac0aafa892299128b3de16397ef06adb67674fdc53f54bad89e5b7011dbc204de32e37edb703018b6
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f53f7a524f9e5ddaa7b59218922b99dc
SHA134b2fb37aebfc505c0ab54cf0bf8805746f7623a
SHA256f57f28c00276f0893286ef863e5cde7f233ba05b059a4a32237e7cfb92f441b2
SHA51226ef0cd3b40270c6539986b9d827243263a3b51a2e3ee1e67515e68da6100380bcd066ddab67e3c3140b6987673811609f43ee96aff9d1eba224627cb80eb7a0