Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 18:49
Static task
static1
Behavioral task
behavioral1
Sample
2b6274ffff415749e57c77a8cbeba089_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2b6274ffff415749e57c77a8cbeba089_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
2b6274ffff415749e57c77a8cbeba089_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2b6274ffff415749e57c77a8cbeba089
-
SHA1
aae04c554a19bd76b4723bb33d8da16a581a8910
-
SHA256
059b2ace75416d0c63953cef256feb92b2d70dfc248c70e2100732829a8f8273
-
SHA512
967a1e2edcc12a5249ecdaeb6f95245157b63e66ccb900fa76b430e2c97894e469f18507dea657681ec781246d87b7d6c171e237c7a831f83fdf1f37a9cd9f12
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAjgKM6yLx2+UO:+DqPoBhz1aRxcSUDk36SAaM6
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3195) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2268 mssecsvc.exe 2680 mssecsvc.exe 2592 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\d6-eb-17-fc-7a-1c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c\WpadDecisionTime = d080fa9e41a2da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadDecisionTime = d080fa9e41a2da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1736 wrote to memory of 1708 1736 rundll32.exe rundll32.exe PID 1736 wrote to memory of 1708 1736 rundll32.exe rundll32.exe PID 1736 wrote to memory of 1708 1736 rundll32.exe rundll32.exe PID 1736 wrote to memory of 1708 1736 rundll32.exe rundll32.exe PID 1736 wrote to memory of 1708 1736 rundll32.exe rundll32.exe PID 1736 wrote to memory of 1708 1736 rundll32.exe rundll32.exe PID 1736 wrote to memory of 1708 1736 rundll32.exe rundll32.exe PID 1708 wrote to memory of 2268 1708 rundll32.exe mssecsvc.exe PID 1708 wrote to memory of 2268 1708 rundll32.exe mssecsvc.exe PID 1708 wrote to memory of 2268 1708 rundll32.exe mssecsvc.exe PID 1708 wrote to memory of 2268 1708 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b6274ffff415749e57c77a8cbeba089_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2b6274ffff415749e57c77a8cbeba089_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2268 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2592
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2680
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5463bb30fc2e8131b7985540f964d9117
SHA16e60430952d0654faf3de6257f892685df1fcc77
SHA2563ffe70a250fba5e95b0ab39b88cbe86676cf9307defee95f9cbdfe198856164b
SHA512250b70788f80fcdf867b213a63e186860c73b34b005fa6ea075453af931a1cd038b71f4f1c95c2c8c8c60def00aef89b29a724c7845c4887315ab88f6f9d5a03
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5fb434349b6e1732394fbf54eba084367
SHA1d478c194c35a2c4f51301350218c568439f75516
SHA256a79d32d0f232dc130dfae183b56a8c2bad5ab69c14d85df3fb303b3a4f896311
SHA512d2dfe407ff946d7a3bd50f846a0e05654b9c15111dbd0ed7f07e7341f850d3471748b571a2d476db0bc37e8ed5e5b22638d2cff735a1c62bd5f48abd8328ec62