Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 23:23
Static task
static1
Behavioral task
behavioral1
Sample
318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
318ef9cfc9a05e31a05bf1ec3c2b2109
-
SHA1
c1eb85e5f6692f062242b5959f44d8b26e616833
-
SHA256
865b10d9b9e7469d6f48b2a488da995a311c6875ee23d946e0c90cab7bbce773
-
SHA512
e0d6a5083e09854d6255c60d71201d5822e080725c14464328254fd43562257407aa6ae8405f0eb00cc3c332d2b21f966490d7ecbccb72a7aa2876a6a6cc5ad7
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0U6SASk+Kdq/:znAQqMSPbcBVU6SAA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3281) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2968 mssecsvc.exe 2148 mssecsvc.exe 2716 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0047000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadDecisionTime = 10f37c0b31a3da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\f6-49-19-7d-c6-ed mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-49-19-7d-c6-ed\WpadDecisionTime = 10f37c0b31a3da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{869C47FF-AE31-46E8-BE02-A26D98385553}\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2888 wrote to memory of 2952 2888 rundll32.exe rundll32.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\318ef9cfc9a05e31a05bf1ec3c2b2109_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2716
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2148
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5389c073a096bc2d1b08729365cf82802
SHA146235da95b5877eeb65bc230297ab3dd400d238a
SHA256be01cb362759e1d821227542dbb9358e962e62198881b83d86e29eb21d116f54
SHA5122c906dda9dff934474118582301dc586c13abe9666754b0d16333e8925f3bc6e7f22401e94c7e3e9584924b37b14024604285d26517201ced97e063cf8c9ec7b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51a46563038a0cb83090bae987da31a82
SHA1414ff3501b8f7f31e41b2543a7c2d0256fe783d7
SHA2567547a90d72937e374589301b3da01af5d9a962e0548d9615df7f13b1c2b1baca
SHA5126dbb12754321127c640340f2fd586f6a4f36fec88f32973e3f69818752ac8ee727404acaf5a689edd5b8b007358a40c90e00e34472c73b25e84502d07ed8fb77