Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 20:23
Static task
static1
Behavioral task
behavioral1
Sample
269322b335e4e231129fbbc8928843ce_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
269322b335e4e231129fbbc8928843ce_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
269322b335e4e231129fbbc8928843ce_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
269322b335e4e231129fbbc8928843ce
-
SHA1
ef8b5a9e759de887d517b737fec7cc8cc170fbb9
-
SHA256
0044e04af55e740a58b3684dd927b95a14f7b7bc3abc22ba11dafefa348de058
-
SHA512
b6501f27966d645db90ee4ae2c2d9844c2c4186a4dcc7238ad955c49a6cc2aef7ae65f6f051ea8d67459f8a03f270e80423baa2c1ef6a5d517f37aaa38c6ab62
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P59:+DqPe1Cxcxk3ZAEUad
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3111) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1260 mssecsvc.exe 3048 mssecsvc.exe 2556 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15\WpadDecisionTime = 70657c9185a1da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9a-1d-ac-c2-a1-15\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\WpadDecisionTime = 70657c9185a1da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{85BC396E-56CE-4E7F-A676-F38F04CBFC53}\9a-1d-ac-c2-a1-15 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2060 wrote to memory of 2760 2060 rundll32.exe rundll32.exe PID 2760 wrote to memory of 1260 2760 rundll32.exe mssecsvc.exe PID 2760 wrote to memory of 1260 2760 rundll32.exe mssecsvc.exe PID 2760 wrote to memory of 1260 2760 rundll32.exe mssecsvc.exe PID 2760 wrote to memory of 1260 2760 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\269322b335e4e231129fbbc8928843ce_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\269322b335e4e231129fbbc8928843ce_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1260 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2556
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a4a0d0acde8a7bd947043ed7a15be4ac
SHA1bfa29be48c3d837989fff26225f93d18a62f0bb9
SHA256bda20a1896bb26b43d1e2dc04207e033c1fa8e5bbe05b1e5d779450634afaa1a
SHA512b3f5342fc6564cb65dc9e097d6438834ee0586973717c8e7659a693c22708dc88d98b6186423c823d11a1f24bc972d90e634a7985be49c4d1aa98ebddcad5576
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD55dbd99dcb1e13fef32132534e4f1770f
SHA10d7d1c89e2da9602c9279b6e8454292fec0ab61f
SHA2561d80cb4c8ad9b72dbdeaee37b76f385cbef663c69338cb965dfffee6190d2f00
SHA51283e077241955817e403d7d018632c90fc73b2865030ba9b449707e3718d484653e051767805f02809087d9f8f639a87fece54c61f04fe8e6ded9563496b489c4