Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 23:17
Static task
static1
Behavioral task
behavioral1
Sample
272c3e75b5b82f20d63cca13f0ab815a_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
272c3e75b5b82f20d63cca13f0ab815a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
272c3e75b5b82f20d63cca13f0ab815a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
272c3e75b5b82f20d63cca13f0ab815a
-
SHA1
c98828bdd1fe78a44562fdb983b79763cd1017e1
-
SHA256
7800a081014b43a591969d71dd49157ba3babace87a39d143120e82c677927d6
-
SHA512
6018b2819116d8c13dfa41a92095c19e5826936ed5a43868db2e4ac2e09d0aa67a26615d8a36142632d54401645936cf03c7243d7ee3ff3db0abe501d33fb5ca
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQ:+DqPoBhz1aRxcSUDk
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3302) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1880 mssecsvc.exe 2512 mssecsvc.exe 2616 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\42-35-df-dc-3d-6b mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionTime = c0c810e69da1da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f007a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecisionTime = c0c810e69da1da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6DEFC3CB-1B7E-4923-BBD6-B2FEC944D511}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\42-35-df-dc-3d-6b\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2248 wrote to memory of 2168 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2168 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2168 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2168 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2168 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2168 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2168 2248 rundll32.exe rundll32.exe PID 2168 wrote to memory of 1880 2168 rundll32.exe mssecsvc.exe PID 2168 wrote to memory of 1880 2168 rundll32.exe mssecsvc.exe PID 2168 wrote to memory of 1880 2168 rundll32.exe mssecsvc.exe PID 2168 wrote to memory of 1880 2168 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\272c3e75b5b82f20d63cca13f0ab815a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\272c3e75b5b82f20d63cca13f0ab815a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1880 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2616
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57ea7b09c6dea9bbbdaabd503bd6ad8a3
SHA12d13042c833b6195f83e72bf35777ac296a33511
SHA2567aa94713a0fcd8cb24b324d4e1f16388c0745855097802574417239e4b3b429b
SHA51207b16147c11079e34f06da1b0b79118cc49f68ff9d7f7dbb4272a33213e2e3a107a557b642abb566b1c2b11809383f7f7d90b26da58b94ca3f60a0e881871bbd
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD52bf26b644c7b4e283f66ac695d89a3d5
SHA128e6b6ae553529d751e432a84a890588c5b86689
SHA256dc8a91ed1eb77f2dce2f71533b43cd0322e5b64e83152823b147756187f6b1f2
SHA5128ac3056a82eb422ace8323e6b5f005bf65641f60357fc05dd55cbad73d4e18aa35a43fb6215a68ac27c0e0f877e4f88f0133c6c61ac86d50e00fcaf8e89bc9ab