Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 04:46
Static task
static1
Behavioral task
behavioral1
Sample
160b4ee7ffde7e6c168ffecacdc48f2f_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
160b4ee7ffde7e6c168ffecacdc48f2f_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
160b4ee7ffde7e6c168ffecacdc48f2f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
160b4ee7ffde7e6c168ffecacdc48f2f
-
SHA1
99c5a256999ea68c81f76056411aee25733aba2d
-
SHA256
75b14a7bdef9667c0e003351320e0a8a246a57db3ca648d8a424b0b3d3271792
-
SHA512
486de3f5663c2e5d1862b4148733fded67a3c32262b52eb783d3dc2dc5aceddcf34093ee3d28ba97ca0fd729d32ce2cd5f70e2cb516bf9c396ee9653e02343c0
-
SSDEEP
12288:yvbLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DdcL9gMZE/oy:SbLgddQhfdmMSirYbcMNgef0z9XEk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3135) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2384 mssecsvc.exe 2556 mssecsvc.exe 2644 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionTime = 30c9ec33a79eda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f011f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionTime = 30c9ec33a79eda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8DF4808D-ED5F-4758-89D8-5580AAFBDA43}\d6-8e-05-c7-1d-61 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-8e-05-c7-1d-61\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2076 wrote to memory of 1616 2076 rundll32.exe rundll32.exe PID 2076 wrote to memory of 1616 2076 rundll32.exe rundll32.exe PID 2076 wrote to memory of 1616 2076 rundll32.exe rundll32.exe PID 2076 wrote to memory of 1616 2076 rundll32.exe rundll32.exe PID 2076 wrote to memory of 1616 2076 rundll32.exe rundll32.exe PID 2076 wrote to memory of 1616 2076 rundll32.exe rundll32.exe PID 2076 wrote to memory of 1616 2076 rundll32.exe rundll32.exe PID 1616 wrote to memory of 2384 1616 rundll32.exe mssecsvc.exe PID 1616 wrote to memory of 2384 1616 rundll32.exe mssecsvc.exe PID 1616 wrote to memory of 2384 1616 rundll32.exe mssecsvc.exe PID 1616 wrote to memory of 2384 1616 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\160b4ee7ffde7e6c168ffecacdc48f2f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\160b4ee7ffde7e6c168ffecacdc48f2f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2384 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2644
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f162a3457e92b25a85e9a616ba88a091
SHA136fa7624e89e7980856531887900d7d98e341511
SHA25616cfdb04d04098874b0d77a63f9688d9421ef5e0d4706219e4dc004a297a60ba
SHA512dd9920a2a19ba91a8066b1ea84b5df3bee216d6742f4c312144a3f768dfa6e69e714029443fe40f60d5801bb252c417050948422e64831ac002a1cba01688985
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD510ad273a094f18d455d4de016f634a39
SHA18d11a4722fea582a4b8873c7ed7b57107ceaba45
SHA256294b42bf9aa8f33f34181bc9fca1674e484d640fe4e01d34b4338d9680582df9
SHA512cf115b350aec84553ee97b2a11909461351a7e11cfb49d42f98a3c7b2ce2c857fb67d3ae554f49aad8bfcb68efeeda46761a508862cc4fa7fe84369921ebeeb8