Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 00:00
Static task
static1
Behavioral task
behavioral1
Sample
27554181da0fcc076c77efa2a38b4c0a_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
27554181da0fcc076c77efa2a38b4c0a_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
27554181da0fcc076c77efa2a38b4c0a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
27554181da0fcc076c77efa2a38b4c0a
-
SHA1
272f3944342dd99f9774b1399a6e40c1db65ebcb
-
SHA256
34bad26f44899f682f3d85b1c860d1189656f982988013a9d80d4870f2167d1d
-
SHA512
a523d9a9acc0d973edfd5d1fd2c49ccb28f5a46ac1e70c9fb01c97005a3aeff76d0c9caf38c7040d81d2af3b406d0aef6957ce695a7ca96975512939048c6fa1
-
SSDEEP
49152:SnAQqMSPbcBVQej/ZXvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBhzZ/xWa9P593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3191) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2812 mssecsvc.exe 2680 mssecsvc.exe 2720 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}\5e-15-e7-ce-c4-81 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-15-e7-ce-c4-81\WpadDecisionTime = e0f1e8e1a3a1da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}\WpadDecisionTime = e0f1e8e1a3a1da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6BFDCCE9-4896-4725-8020-FB8D3C52EE1E}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-15-e7-ce-c4-81\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-15-e7-ce-c4-81 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-15-e7-ce-c4-81\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2992 wrote to memory of 2076 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 2076 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 2076 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 2076 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 2076 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 2076 2992 rundll32.exe rundll32.exe PID 2992 wrote to memory of 2076 2992 rundll32.exe rundll32.exe PID 2076 wrote to memory of 2812 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 2812 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 2812 2076 rundll32.exe mssecsvc.exe PID 2076 wrote to memory of 2812 2076 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27554181da0fcc076c77efa2a38b4c0a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\27554181da0fcc076c77efa2a38b4c0a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2812 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2720
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD547485294e0abede12affc7da1f594fd6
SHA1909400149ac9f5c08816abe316caa1265d4313ae
SHA256b14cd140975fd128812555116bcb650122adc840ae51e21913022a91192125ef
SHA5128f5fb7a988335357c08bfce0ce8f6fd8aeec7532d4025c59d86cecb283bb7df8ec4cee8b1b5774a9b05e998d74ec4bbe6ee3cd73b4adade94fd943a48e69fd82
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ca1f60f9db09427ff802c34917f70adc
SHA1cfdbcf44248476d52b55b1950e3edeeb0f5b5073
SHA25690994a01b9937d3351397c4dbf0b352383ac083f1a5b5270bc911d99c9f9b152
SHA5127fcd812c2d17cfbdf30d8343a1876e66bd273bbf2a927e9ca53e6b2cb2f4576add11d70b81ba9f20aa60a6a86b4a7aaac359b516bfb27160476b5d4d04d681ca