Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 03:48
Static task
static1
Behavioral task
behavioral1
Sample
15d83ee4639da1901b35df7a5b0e9a39_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
15d83ee4639da1901b35df7a5b0e9a39_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
15d83ee4639da1901b35df7a5b0e9a39_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
15d83ee4639da1901b35df7a5b0e9a39
-
SHA1
61a438e87311b8703e18c227fa81779508c19840
-
SHA256
ad23984d8f9812e3fad7678f27047fc02ae32df440a49afe3af810a5fdc282e2
-
SHA512
e8bd126be0269f5162a382765e53d4a506367434fac94ff157347b58687846878de28950584f011bad9689c28fad08b26d4fb48ba2aa3541cb720115bd5eff9a
-
SSDEEP
49152:SnAQqMSPbcBVQej/1cOQ77JU+3qrNei6Omk:+DqPoBhz1GU+3az6Omk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3354) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1716 mssecsvc.exe 2604 mssecsvc.exe 2712 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cd-e7-ec-a5-5b\WpadDecisionTime = 40f0d7289f9eda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cd-e7-ec-a5-5b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cd-e7-ec-a5-5b\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}\WpadDecisionTime = 40f0d7289f9eda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cd-e7-ec-a5-5b\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C}\02-cd-e7-ec-a5-5b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6628B9C7-01E8-413A-A635-0F76097A803C} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2012 wrote to memory of 2088 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2088 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2088 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2088 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2088 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2088 2012 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2088 2012 rundll32.exe rundll32.exe PID 2088 wrote to memory of 1716 2088 rundll32.exe mssecsvc.exe PID 2088 wrote to memory of 1716 2088 rundll32.exe mssecsvc.exe PID 2088 wrote to memory of 1716 2088 rundll32.exe mssecsvc.exe PID 2088 wrote to memory of 1716 2088 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15d83ee4639da1901b35df7a5b0e9a39_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\15d83ee4639da1901b35df7a5b0e9a39_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1716 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2712
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2604
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD545ec1df191a2b8a4c7bf6ccd2edd22e0
SHA1ef35ca0d18bd79a5431442f84e394cd12a47cf31
SHA256fbbfaa997091cc29e7dbf8e03d5f0eb2e36de972405aa1f35f111fe302559a33
SHA5123c10e97b15692aaf845ec5f5478d6f1e6c74093f40a349d8a5aef65894c5f2af1b0648dc6001d04775fd441bd15b34963cc12579206143f0b461d265afc49a03
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD59e6a3c0f1bfeef80cfccddbe072d1af9
SHA11a7e70ef21c28ecfca1a66823be7706a4954a0cf
SHA256bcde665864a4da5e5edef9c75026ffa4c4fc0914844c8b7b354cf882b592c3d3
SHA512ac81fa42b2b613d775e26a6e86360b821fc4ba5fb35c50559744d96cf31bfe7e9a2c3d94f5615f4474ffa5085112903cba7cc24d09a2c806ede0f52d4b334aa2