Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 15:52
Static task
static1
Behavioral task
behavioral1
Sample
20fb99e5ee06c4afe1bd4eec171bace1_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
20fb99e5ee06c4afe1bd4eec171bace1_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
20fb99e5ee06c4afe1bd4eec171bace1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
20fb99e5ee06c4afe1bd4eec171bace1
-
SHA1
ff53c01bde424fcd95ec55673dc52ae8fd7dbda3
-
SHA256
e39393189e4cba9cf191bbef87586e0069555706a0c7fb895fc5aa96b6cb899b
-
SHA512
3faa34d8474d0ba36aab69bb78b72b357a8f49fdcb1fe682a5cb0ba92aba61a1058b778d07d1858446f5e168c75175e662854a4a37320cd8fb92be5a768331d4
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3271) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1708 mssecsvc.exe 2292 mssecsvc.exe 2644 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-c7-31-07-69-65 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ED4A7A9-AA40-4C5C-8392-62F335D92417} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ED4A7A9-AA40-4C5C-8392-62F335D92417}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ED4A7A9-AA40-4C5C-8392-62F335D92417}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ED4A7A9-AA40-4C5C-8392-62F335D92417}\WpadNetworkName = "Network 2" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0036000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-c7-31-07-69-65\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ED4A7A9-AA40-4C5C-8392-62F335D92417}\WpadDecisionTime = c08dd79496a0da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ED4A7A9-AA40-4C5C-8392-62F335D92417}\92-c7-31-07-69-65 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-c7-31-07-69-65\WpadDecisionTime = c08dd79496a0da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-c7-31-07-69-65\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3024 wrote to memory of 2044 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2044 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2044 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2044 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2044 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2044 3024 rundll32.exe rundll32.exe PID 3024 wrote to memory of 2044 3024 rundll32.exe rundll32.exe PID 2044 wrote to memory of 1708 2044 rundll32.exe mssecsvc.exe PID 2044 wrote to memory of 1708 2044 rundll32.exe mssecsvc.exe PID 2044 wrote to memory of 1708 2044 rundll32.exe mssecsvc.exe PID 2044 wrote to memory of 1708 2044 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20fb99e5ee06c4afe1bd4eec171bace1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\20fb99e5ee06c4afe1bd4eec171bace1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1708 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2644
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD575d29b4c42c3446195a58da94bc8e1c9
SHA1502fb283de541d6e1d7e147b480b4f913275c77c
SHA2562c859bb494ac66062b63679f8d5c9e5fd7285f2082fd4f7800cd0a9f47fa017c
SHA512c354cdd17cb2ded6bf970921825434e973d12dacdfcf3d1e9ca1a71e06fa5cbe5abaa020005fa817573b8e7c444e51aa225404fd55f30c801096989a6eb7d5a7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD534a9bc66714e9db424d98ee3738b29a2
SHA1cb9134040dd0ecde5e0931bcf2a4d734a69826c3
SHA25609c7e447292743f5d2a41e7ba65e20492e92a8a3e7a8d60b67d9c1c24389750f
SHA512d0b7c0ebdce80b8e1c41321a06d6b050ee92963ddc2df9128b8565f8fd1dcb6c6c64de32b47a5afe3adfa9d3155afc775daf2a9d09cfb526920d02adbcad4c6c