Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 01:48
Static task
static1
Behavioral task
behavioral1
Sample
1f07ba6cd1e615b4db669c37e636a5e7_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1f07ba6cd1e615b4db669c37e636a5e7_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
1f07ba6cd1e615b4db669c37e636a5e7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
1f07ba6cd1e615b4db669c37e636a5e7
-
SHA1
85476ac2880923def8337cf59d7c1fa7fe13f0b1
-
SHA256
b9012d5f9586f7d4c78daebc34a541fe05d6777fecb389fe1b16874183c3e99f
-
SHA512
0e5d2ad8518af0321a905eae0ca1d075e87b99c2ac1c226b9791b57be82c38f7aead038218b17a7ac92d89fe7f8a5eb16679674745b41ca6868ae273152e64bc
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6S:+DqPoBhz1aRxcSUDk36S
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3233) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 872 mssecsvc.exe 2580 mssecsvc.exe 2660 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0084000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FEAC6D9A-C531-4A4D-92BF-FAF0CD7575BF}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FEAC6D9A-C531-4A4D-92BF-FAF0CD7575BF}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-28-e3-ae-44-9e\WpadDecisionTime = 20cbfaa420a0da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FEAC6D9A-C531-4A4D-92BF-FAF0CD7575BF} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FEAC6D9A-C531-4A4D-92BF-FAF0CD7575BF}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FEAC6D9A-C531-4A4D-92BF-FAF0CD7575BF}\WpadDecisionTime = 20cbfaa420a0da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FEAC6D9A-C531-4A4D-92BF-FAF0CD7575BF}\36-28-e3-ae-44-9e mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-28-e3-ae-44-9e\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-28-e3-ae-44-9e\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\36-28-e3-ae-44-9e mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1440 wrote to memory of 2368 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2368 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2368 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2368 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2368 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2368 1440 rundll32.exe rundll32.exe PID 1440 wrote to memory of 2368 1440 rundll32.exe rundll32.exe PID 2368 wrote to memory of 872 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 872 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 872 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 872 2368 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f07ba6cd1e615b4db669c37e636a5e7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1f07ba6cd1e615b4db669c37e636a5e7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:872 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2660
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55bcb3ac0bd827c0336dc10e02c89009d
SHA12c5fc51b0e5e927783b059b4b509a827ec7f8874
SHA2569d9d27aa15122f626ef58a94f2a9a4529a3c5a49e1efbf0df6d9b1e1cba8c9e5
SHA512d335761ac4582659451a20bea4a35f8a2331a7a07b2e3d275b83de26f21b6011f35d116f42ed71c18b377b83a7210f09256362bbe672b907f7e72c4cfa4c7c3f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5db73e31441cfcb4e3df4f90abf93be58
SHA1cec5b1d186ac29e9de354232e7ced75cfaa7dbcc
SHA256ec7921ced5b4b6e1a2466938f5bbbcb37bdbe3e18231bfe474829619427a46a2
SHA5129469b87f95b82afc2b17843cc120585dd4e915bb560fa69e40a54cb752392a339181bfa6923783c63e418ffcef6ed661ff7fc7689828a13732a540c788642861