Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 10:31
Static task
static1
Behavioral task
behavioral1
Sample
20520a36e7273a3b6128369fa72c1aa7_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
20520a36e7273a3b6128369fa72c1aa7_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
20520a36e7273a3b6128369fa72c1aa7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
20520a36e7273a3b6128369fa72c1aa7
-
SHA1
02276c660f3622a32ed8c5ba9cd42a42269e2a17
-
SHA256
05db4f6d2715f067d3b212bbbd91aafc4a6d66316ddd6e7e4a523f31841b4bc3
-
SHA512
bcb2aa934e58f3f48c59dcf3c24ea41de1e83510382d790cd5b152161b037ee27c59bb546cbc82e0933782d8d0761a808ff9ce00fa9883907e7d7f677a6111f4
-
SSDEEP
98304:TDqPoBhzPyqRxcSUDk36SAEdhvxWa9P593RzPfwo:TDqPeaSxcxk3ZAEUadzRLfw
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3232) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2040 mssecsvc.exe 1116 mssecsvc.exe 1968 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-1c-77-23-85-b9 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721}\WpadDecisionTime = 70fb9fd669a0da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-1c-77-23-85-b9\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-1c-77-23-85-b9\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0089000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721}\be-1c-77-23-85-b9 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-1c-77-23-85-b9\WpadDecisionTime = 70fb9fd669a0da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2336 wrote to memory of 1680 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 1680 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 1680 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 1680 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 1680 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 1680 2336 rundll32.exe rundll32.exe PID 2336 wrote to memory of 1680 2336 rundll32.exe rundll32.exe PID 1680 wrote to memory of 2040 1680 rundll32.exe mssecsvc.exe PID 1680 wrote to memory of 2040 1680 rundll32.exe mssecsvc.exe PID 1680 wrote to memory of 2040 1680 rundll32.exe mssecsvc.exe PID 1680 wrote to memory of 2040 1680 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20520a36e7273a3b6128369fa72c1aa7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20520a36e7273a3b6128369fa72c1aa7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2040 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1968
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
448KB
MD528e3300eab6717ad6c82b806b3c2ed5b
SHA157a039778942f4bcf552a1f6fe026f5d95743740
SHA2563926aa857d3ed3395fb57da8a0936e250b05609af999d82b64c5526eff276d3e
SHA512dbb51ec27cb2d139f6ceb6cac2f1381a4ab1383bd08cde61964bef657addd2073e65494c01605f429238cfe31c591461fd648980541afaf643d801753696fb5a
-
C:\Windows\tasksche.exeFilesize
576KB
MD5e8c39c862793599459a8bc39ccd156ec
SHA1d5f2d7b50dad156c5ee015ecafb70a67d20975fb
SHA256171ab324ad9d258ab2036302aa944d23e4184d35b5a48ab171a09dd46e1eb8ba
SHA512c2d448f84fb6b35213bb1aa1dff4ae0571982c7f3efc1f21921602ec54f9f2cfef56ffaf8a13bdcd981c41ed6149c7eb28fc0d7ecd8592266b164a7e25f962b8