Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
07-05-2024 20:22
Static task
static1
Behavioral task
behavioral1
Sample
219407ddfd792bd58cba6b267ddef3cc_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
219407ddfd792bd58cba6b267ddef3cc_JaffaCakes118.dll
Resource
win10v2004-20240419-en
General
-
Target
219407ddfd792bd58cba6b267ddef3cc_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
219407ddfd792bd58cba6b267ddef3cc
-
SHA1
d5d64075255259f871b68dd1f6c67a5dfac1bb09
-
SHA256
6bb91cc643e06254aea95a04a3660c5ac4906d7a812336d3e13c0c586185005c
-
SHA512
5a3811a7ec1ca207d868701b7964ea6d0d07d5799f9ddd5997803c054a6ae6a6471d1efe50e8df2e689e9bb70e7cbd911b146a20d2f627b9c143c83ce5654c13
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6S9I5c/bXZROAx:+DqPoBhz1aRxcSUDk36SQc/J
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3198) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1708 mssecsvc.exe 2960 mssecsvc.exe 2652 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadDecisionTime = 20c5f653bca0da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\06-cb-7e-1e-58-a7 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f2000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-cb-7e-1e-58-a7\WpadDecisionTime = 20c5f653bca0da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6D3825C1-197E-4328-ACC9-053113537B39}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1676 wrote to memory of 1612 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1612 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1612 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1612 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1612 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1612 1676 rundll32.exe rundll32.exe PID 1676 wrote to memory of 1612 1676 rundll32.exe rundll32.exe PID 1612 wrote to memory of 1708 1612 rundll32.exe mssecsvc.exe PID 1612 wrote to memory of 1708 1612 rundll32.exe mssecsvc.exe PID 1612 wrote to memory of 1708 1612 rundll32.exe mssecsvc.exe PID 1612 wrote to memory of 1708 1612 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\219407ddfd792bd58cba6b267ddef3cc_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\219407ddfd792bd58cba6b267ddef3cc_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1708 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2652
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5400afff4fe67c41072d656d3407f8be8
SHA1693c3f1b80368b21ef841d43b6ab5aae538c3ecf
SHA256a5394c768777bb735aff3d03d003b2339e647766a4fa45bb254a89385cc737eb
SHA5123f97f3a7bb07ee51e50e7e6c1527660ace75e2e52934fcf83a1b245bd3dde870330bce6a4726e4e759681c9f0ed956a122d8c55a96202e1ac3720f6ddaa5c61e
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5dd4f1eceb27794a507d5ab787ce90a64
SHA14c1ace4632fb448c4ceb03d87d42a2512f8ec943
SHA256ee3da15414211d673fd5ee868b50cfc69d731431e5fc3148eee0d40e7615c1bd
SHA512f8868cb30abe2240bb9e2221be8a69ab676b8cad9c07486a4b4490ec256bc86d9ba7e40fd1b22c19824b9ad503800166c7fcc33e3f8ae4e26ebb70118bca4869