Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 23:14
Static task
static1
Behavioral task
behavioral1
Sample
2c2f910e67c719b5a9b58c19a85409e1_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2c2f910e67c719b5a9b58c19a85409e1_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
2c2f910e67c719b5a9b58c19a85409e1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2c2f910e67c719b5a9b58c19a85409e1
-
SHA1
0de249d9881bd73288680c784c7471bbbad4850c
-
SHA256
b29dfbe67e3703210820554e11cb2704e731117ba69ec2a45488816b1b46a088
-
SHA512
df8e701143ec8b1d832a3309f01e0a320a21a78ebd33ed34f25bad8a905c29f734469e0b1b14780b2e7beb9b8238001ec447b6511164ccc448ecc0ee915e0af8
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593iH:+DqPe1Cxcxk3ZAEUadziH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3270) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2840 mssecsvc.exe 2932 mssecsvc.exe 2564 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{816325EA-B4ED-4F88-9052-9BA16F58EBF2} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{816325EA-B4ED-4F88-9052-9BA16F58EBF2}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{816325EA-B4ED-4F88-9052-9BA16F58EBF2}\6a-f5-59-c3-5e-8f mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0138000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-f5-59-c3-5e-8f\WpadDecisionTime = c01d5eac66a2da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-f5-59-c3-5e-8f mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-f5-59-c3-5e-8f\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{816325EA-B4ED-4F88-9052-9BA16F58EBF2}\WpadDecisionTime = c01d5eac66a2da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{816325EA-B4ED-4F88-9052-9BA16F58EBF2}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-f5-59-c3-5e-8f\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{816325EA-B4ED-4F88-9052-9BA16F58EBF2}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2764 wrote to memory of 2096 2764 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2096 2764 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2096 2764 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2096 2764 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2096 2764 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2096 2764 rundll32.exe rundll32.exe PID 2764 wrote to memory of 2096 2764 rundll32.exe rundll32.exe PID 2096 wrote to memory of 2840 2096 rundll32.exe mssecsvc.exe PID 2096 wrote to memory of 2840 2096 rundll32.exe mssecsvc.exe PID 2096 wrote to memory of 2840 2096 rundll32.exe mssecsvc.exe PID 2096 wrote to memory of 2840 2096 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c2f910e67c719b5a9b58c19a85409e1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2c2f910e67c719b5a9b58c19a85409e1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2840 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2564
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2932
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a0a2cbcbe38bb69813f79a5314958c40
SHA1a5d2df98e071995fb4430b606b3209612f30127a
SHA256a15b2406a8955fcabdbf929ccf7163155722205123fd6c064483c00f38ddc6f1
SHA51291303fed6e4e18e6788853df29556b0f61070026f34ca680f65d74279134ecfd7e8b5ba3e3f97e6b0e7fddfdb98dcbd387632ca911afca1ce8c4144adc118999
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5e937be60cf696dce4fa2865ae1db0e24
SHA1762513be11487add747ca26c73feadeff548939f
SHA25648cad3f1d3384b6355d39ca3a459d84d36c7b406487df57bea5175d767c48044
SHA5123992a7034a7ab933d0d223934d9c1e39c37b207ef27190f0b48a42e014a03dc4081e35b87d4dd15a3736940e93eadadddad8ee92aef3f84897e5306d33eed00e