Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 04:48
Static task
static1
Behavioral task
behavioral1
Sample
285de344496b980a31918cad9a86f137_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
285de344496b980a31918cad9a86f137_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
285de344496b980a31918cad9a86f137_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
285de344496b980a31918cad9a86f137
-
SHA1
adab4a24cb035dbaf13893d5add1c3fe5c239ec9
-
SHA256
db3fc98ce1e5cdcdccbf9a38ef80cbe981c6d4a1db8582f51af5c0e70e0cd412
-
SHA512
95c4d44d7a181037916f4de6654a42bf8c8e3c3785982ad63b351d527a47ab6958be5e77d5ad9b0c019111767856fd7142a44249ce0e1af62bc576d2afe99dc7
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9a3R8yAVp2H:+DqPe1Cxcxk3ZAEUaKR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3313) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1704 mssecsvc.exe 3004 mssecsvc.exe 2764 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa\WpadDecisionTime = 0028ac5ecca1da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadDecisionTime = 0028ac5ecca1da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\ee-1a-fd-5a-f5-aa mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1740 wrote to memory of 1744 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1744 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1744 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1744 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1744 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1744 1740 rundll32.exe rundll32.exe PID 1740 wrote to memory of 1744 1740 rundll32.exe rundll32.exe PID 1744 wrote to memory of 1704 1744 rundll32.exe mssecsvc.exe PID 1744 wrote to memory of 1704 1744 rundll32.exe mssecsvc.exe PID 1744 wrote to memory of 1704 1744 rundll32.exe mssecsvc.exe PID 1744 wrote to memory of 1704 1744 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\285de344496b980a31918cad9a86f137_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\285de344496b980a31918cad9a86f137_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1704 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2764
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5cab3a0f4bffc2c1633161801fc460c88
SHA13a29eb71f099baee4df40f1dcbb22d295a7a1c4d
SHA256a0c4e2f12e757b99bfcdf32d5565ac6565cad192e928039e099ea3c449163b8c
SHA512f1c44a53d6451dde40d10cf9e57c0eb20b067dc692994ef805d3b91784b71eda108afda5c39670ca6d7057adf8124020d6329bf1570c5dd0a37394c40ea0ced5
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5d987c9e070a2d68dc4600bd2dba8cd73
SHA1045958fd381435430ac74e9f8e5a1d2ab0eefa96
SHA25650444f56abf32a732beeb910f2851cf74551317f2435ed87c15432d551952c0d
SHA512c7e9637b70a36d053c68ddff15e478f3d12b7eb7bccb703986f91a26b0cabb70ed1ba27a553886e8d9e998ec98be55ad73f2ac97c92c745e633b7b0530d9c9cb