Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 08:11
Static task
static1
Behavioral task
behavioral1
Sample
1ffe76bc279f246fcd03a6e839617804_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
1ffe76bc279f246fcd03a6e839617804_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
1ffe76bc279f246fcd03a6e839617804_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
1ffe76bc279f246fcd03a6e839617804
-
SHA1
1c974418ca7772fd6ad5f6905dab65eae79c552e
-
SHA256
9cd4552f57cefe8177df49810e39c6a452a24f4fd6327bc0d704b9ccb4757d51
-
SHA512
eb6adc535be63f9ddbd05541c2ea542f07a4b6a506fe53548e6ee2ba9b0f448a9051e0a8d4e602f767d06a26a6e0c2731638287bf6900c07d098231e2ff0c278
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhS+Gs:+DqPoBhz1aRxcSUDk36SAEdhS+G
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3286) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2316 mssecsvc.exe 2836 mssecsvc.exe 2664 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7AB79480-A348-4231-A1D0-1A790C64C596}\0e-3b-bb-b0-8e-62 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7AB79480-A348-4231-A1D0-1A790C64C596}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7AB79480-A348-4231-A1D0-1A790C64C596}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3b-bb-b0-8e-62 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3b-bb-b0-8e-62\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7AB79480-A348-4231-A1D0-1A790C64C596}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3b-bb-b0-8e-62\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7AB79480-A348-4231-A1D0-1A790C64C596} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7AB79480-A348-4231-A1D0-1A790C64C596}\WpadDecisionTime = c096843856a0da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-3b-bb-b0-8e-62\WpadDecisionTime = c096843856a0da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2352 wrote to memory of 2064 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2064 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2064 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2064 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2064 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2064 2352 rundll32.exe rundll32.exe PID 2352 wrote to memory of 2064 2352 rundll32.exe rundll32.exe PID 2064 wrote to memory of 2316 2064 rundll32.exe mssecsvc.exe PID 2064 wrote to memory of 2316 2064 rundll32.exe mssecsvc.exe PID 2064 wrote to memory of 2316 2064 rundll32.exe mssecsvc.exe PID 2064 wrote to memory of 2316 2064 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1ffe76bc279f246fcd03a6e839617804_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1ffe76bc279f246fcd03a6e839617804_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2316 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2664
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD53ee9eebcdffa4128022aaf2393b6ebd9
SHA1c1bebfd99486fb32de552827b180b6f63352c1c0
SHA25615643c4a5c65ca8c6f06fe732e06d59a453b05e6def69471c00600ae4a1ef4b3
SHA512738989748901a8111f942fbfa030e1723e1c7a8deab219246d07035142efb8a0e33b3eb1e4859d5dfc2372e5a715d5f2c80c71bfb9c23acceb2bfa51eb947949
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50d1113f38865045b2a944cb24cc01724
SHA10ed4ee11890c489fe045536d763816a0006aceaa
SHA256c04378df6ff17ae98fb0eaed86d67cda6813b7bb0df2316a1bc8a46cf21f0a10
SHA5129973bee72e2194904adeea6dd496b1d9e13e7aa015aa579a50851ed110fe8efcf4f29613bc732a4ab99e927430845f4b332532caae2a50c04246a98f94a3691d