Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 23:16
Static task
static1
Behavioral task
behavioral1
Sample
272c2091af2a86707aad37c311833152_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
272c2091af2a86707aad37c311833152_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
272c2091af2a86707aad37c311833152_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
272c2091af2a86707aad37c311833152
-
SHA1
24dc6608fcda83c32386154231c5f317442bf054
-
SHA256
61fb253b656b4ec88782baaf9e8e741e32789dce3ced825e65edafc0a060cc09
-
SHA512
ab87f2093012314d4d17fcd70bec10ab1b7d1651917651dca6949aa0b40c97395f86a6353a126e4dd0e6f972dcd3411295c560ebb7414fb9772b5889dd014b95
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVEr7CgNt1F0vnwqYYcIOzidenqEAqb:zbLgddQhfdmMKkqYYLZW
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3212) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2104 mssecsvc.exe 2800 mssecsvc.exe 2792 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-85-34-25-b8-aa\WpadDecisionTime = 600699d59da1da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0093000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A07C9476-AC17-43B9-84F9-BB4F24E05F94} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A07C9476-AC17-43B9-84F9-BB4F24E05F94}\WpadDecisionTime = 600699d59da1da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A07C9476-AC17-43B9-84F9-BB4F24E05F94}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-85-34-25-b8-aa mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A07C9476-AC17-43B9-84F9-BB4F24E05F94}\2e-85-34-25-b8-aa mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-85-34-25-b8-aa\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\2e-85-34-25-b8-aa\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A07C9476-AC17-43B9-84F9-BB4F24E05F94}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A07C9476-AC17-43B9-84F9-BB4F24E05F94}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1300 wrote to memory of 2180 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 2180 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 2180 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 2180 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 2180 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 2180 1300 rundll32.exe rundll32.exe PID 1300 wrote to memory of 2180 1300 rundll32.exe rundll32.exe PID 2180 wrote to memory of 2104 2180 rundll32.exe mssecsvc.exe PID 2180 wrote to memory of 2104 2180 rundll32.exe mssecsvc.exe PID 2180 wrote to memory of 2104 2180 rundll32.exe mssecsvc.exe PID 2180 wrote to memory of 2104 2180 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\272c2091af2a86707aad37c311833152_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\272c2091af2a86707aad37c311833152_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2104 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2792
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2800
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a14940982d106793db3fe9ff40ce8715
SHA1838065abf69b9227f1439da90e70fbcea80f8c72
SHA25652bd0d456735ce4f4e54e219e28717061fefc18ec25df16d1b267ce64a1c1bf9
SHA512f6442e0317b691e35e8d27772b614595f1b28a5f7e3256a9c001c186e6a408f5eacc7f78c5d0a7d6e326038f296cdf7bbcefb924ad8b83941374e45510282734
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5e3ebe4b64382f80797bb8acfde1dd60e
SHA1e4d63cc604e6b917c4f337e5def6e192b4251a39
SHA256cc70de3779ee5c15815f7d8a47eedae8acf61d63b72576fae707da658d6859d0
SHA5122641b36546170cd308c279ce94da99dfec425641fd2c8d3fcbc29f8a9256bb8b021ad18d4245661c5b69cc8ff4f488772d9d2a942dea6fbc038a5572f6670630