Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-05-2024 17:27
Static task
static1
Behavioral task
behavioral1
Sample
1d96a9f2bfe3496c6bb39c3e79f748f5_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1d96a9f2bfe3496c6bb39c3e79f748f5_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
1d96a9f2bfe3496c6bb39c3e79f748f5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
1d96a9f2bfe3496c6bb39c3e79f748f5
-
SHA1
4360eb97a5c0b713c9bdd1ed3d960d7d614c38c3
-
SHA256
04a51580d079a6d78828871a7aab73a2afaba8faa0de0bd4efa1340f41412381
-
SHA512
3b6e3b9098f8aec8200698ec13a5fa7d44e8e257372e6402c2a712126263fc375bd28fcba8ce7cc3bf73c96e38a3c85f5d68aad0f3902cc5649428aa892baba7
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SARhvxWa9P5wyAVp2:TDqPe1Cxcxk3ZAQadSyc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3179) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2612 mssecsvc.exe 2620 mssecsvc.exe 2584 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{65F9653A-D31C-471E-B15B-0F7F0C085CFC} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-bf-a6-c4-70-74 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{65F9653A-D31C-471E-B15B-0F7F0C085CFC}\02-bf-a6-c4-70-74 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0074000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{65F9653A-D31C-471E-B15B-0F7F0C085CFC}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-bf-a6-c4-70-74\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{65F9653A-D31C-471E-B15B-0F7F0C085CFC}\WpadDecisionTime = 00a777bcda9fda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{65F9653A-D31C-471E-B15B-0F7F0C085CFC}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{65F9653A-D31C-471E-B15B-0F7F0C085CFC}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-bf-a6-c4-70-74\WpadDecisionTime = 00a777bcda9fda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-bf-a6-c4-70-74\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1284 wrote to memory of 1752 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 1752 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 1752 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 1752 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 1752 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 1752 1284 rundll32.exe rundll32.exe PID 1284 wrote to memory of 1752 1284 rundll32.exe rundll32.exe PID 1752 wrote to memory of 2612 1752 rundll32.exe mssecsvc.exe PID 1752 wrote to memory of 2612 1752 rundll32.exe mssecsvc.exe PID 1752 wrote to memory of 2612 1752 rundll32.exe mssecsvc.exe PID 1752 wrote to memory of 2612 1752 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d96a9f2bfe3496c6bb39c3e79f748f5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1d96a9f2bfe3496c6bb39c3e79f748f5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2612 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2584
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f84958c6a860481f0099e57660879d99
SHA11ec123f80d5e34ef484036657561253e64c87518
SHA256fb8039bfbc3f3eb5caaf249650fcb4137a3d9c4249834340d8b75935a4cafc57
SHA512d9da7e74dc640ec6ff9f6eb5387e50fcf692f98c577c40c5b60dc44f2e152b170d9294d07062dd3692208570b57737c0be94e9d313fb46b071a6a0317f2abed0
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD539e672852115f1c5301911ebbd72b6e6
SHA1bcadcfb65cccb81fc934e1dbf4c749ed0afdcb9b
SHA25603ea5a167ec89a6552eeb1260f52d5803a342b04e3edef04037766dad3a2fde5
SHA512e74fed5ac5781e32e9d33b4fbacfc2e051f330e36afb187e550e6828938f5f997f4e0b8d30f90f12364e0c07743a1fcb81fd3c04cd5c7ed1a22f208c0d05bd41