Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 10:38
Static task
static1
Behavioral task
behavioral1
Sample
2056acb40efe2135577dd836f22211af_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2056acb40efe2135577dd836f22211af_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
2056acb40efe2135577dd836f22211af_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2056acb40efe2135577dd836f22211af
-
SHA1
bde4378795cbaadf5334302231e29eb283df8040
-
SHA256
5667b84da3c323b2a49477e46476adfaaf4c76bc05f9d6ca1102a22f8610213e
-
SHA512
0147b9a2b774549cdcb5b61790185c7dc63065778ced80eaed3e8ad4790aaaef1a940baf8d829852b28a1031cfd05053c38b57dc47625ab68eb4bc26af686691
-
SSDEEP
49152:SnAQqMSPbcBVQej/Pd7+KnT2becwT6DGMIBHuLZyLUcRhRt/IbmwW6VH:+DqPoBhzPwKSbevWSdOLZSPebdWgH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3129) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2028 mssecsvc.exe 2544 mssecsvc.exe 2592 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadDecisionTime = 20cba2c16aa0da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31\WpadDecisionTime = 20cba2c16aa0da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0122000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\02-e5-93-0e-bb-31 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1132 wrote to memory of 2012 1132 rundll32.exe rundll32.exe PID 1132 wrote to memory of 2012 1132 rundll32.exe rundll32.exe PID 1132 wrote to memory of 2012 1132 rundll32.exe rundll32.exe PID 1132 wrote to memory of 2012 1132 rundll32.exe rundll32.exe PID 1132 wrote to memory of 2012 1132 rundll32.exe rundll32.exe PID 1132 wrote to memory of 2012 1132 rundll32.exe rundll32.exe PID 1132 wrote to memory of 2012 1132 rundll32.exe rundll32.exe PID 2012 wrote to memory of 2028 2012 rundll32.exe mssecsvc.exe PID 2012 wrote to memory of 2028 2012 rundll32.exe mssecsvc.exe PID 2012 wrote to memory of 2028 2012 rundll32.exe mssecsvc.exe PID 2012 wrote to memory of 2028 2012 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2056acb40efe2135577dd836f22211af_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2056acb40efe2135577dd836f22211af_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2028 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2592
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5286d8c40788a6aa2aedfa32d3fa82856
SHA142324794ed0d6a0c9132c72510d10e74cc118454
SHA2561f18d12690e66c2a0c2ec0ac2587af2b86aaf50cb2121aef0f35103455b24909
SHA512d7527450702940cdfbfa7e227cebcd7bc0f93ccb5ae1547302f580bdd0b18f6a7f2ff3c3d58d80dfbf490df6c8c42176a74b09ec3d54bd1bda0403419a7de2e8
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5e147d2da9ea975e83cd1d0d7a022f6a4
SHA134a7b1f8ca82bbf1448b2ae91c1bae829d5ba5ce
SHA256f273246e265b855856790bc036c9a23089a5289ce75645af5936d6e5c99bdddc
SHA5120ea7d55ea6af2035125ff3626a1a95c903e51ec165ed45ede9f4032683115927d142c3ce3ffefcae8248de9a6a9f59a87c728326b045f18ef86d5036f284b638