Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 03:00
Static task
static1
Behavioral task
behavioral1
Sample
2d04879574db0fa7bab32ab742d87132_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2d04879574db0fa7bab32ab742d87132_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2d04879574db0fa7bab32ab742d87132_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2d04879574db0fa7bab32ab742d87132
-
SHA1
6c9002b88f564e3f294c84e2578ad2e453f0eafd
-
SHA256
b7cd6dd1c7f50335f963579cdf4edf9757a6eaad7315008de9ac356df50d308a
-
SHA512
2001b30e210bceba9db40206b19d351ca92293a4d70b8775e9a4abc8626eb2ee8256aa0d2693a0a5f40aed195adec9c29efbf705b2986ace613590639b0e960a
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8y:+DqPe1Cxcxk3ZAEUadzR8y
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3302) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2184 mssecsvc.exe 3016 mssecsvc.exe 2600 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\a2-48-c5-91-63-73 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = b03cb94a86a2da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = b03cb94a86a2da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0054000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1540 wrote to memory of 2316 1540 rundll32.exe rundll32.exe PID 1540 wrote to memory of 2316 1540 rundll32.exe rundll32.exe PID 1540 wrote to memory of 2316 1540 rundll32.exe rundll32.exe PID 1540 wrote to memory of 2316 1540 rundll32.exe rundll32.exe PID 1540 wrote to memory of 2316 1540 rundll32.exe rundll32.exe PID 1540 wrote to memory of 2316 1540 rundll32.exe rundll32.exe PID 1540 wrote to memory of 2316 1540 rundll32.exe rundll32.exe PID 2316 wrote to memory of 2184 2316 rundll32.exe mssecsvc.exe PID 2316 wrote to memory of 2184 2316 rundll32.exe mssecsvc.exe PID 2316 wrote to memory of 2184 2316 rundll32.exe mssecsvc.exe PID 2316 wrote to memory of 2184 2316 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2d04879574db0fa7bab32ab742d87132_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2d04879574db0fa7bab32ab742d87132_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2184 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2600
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50948f520863398a0d4b3cd9729959949
SHA1cd68bada66aaff82ff1b1b6576505b3025c4f65a
SHA2565f270030cb7982ede1a2e56b38224c21d332ea99f2183a1919e8230c6fd5a1df
SHA51277d9d9cf8041348a97ba4768efcfac87a4af6f276aa32d7032b77f6ceed06cfe0e7d89c6645c5170ada4d4272b8d1e826c3a38598f41400fb2fd46676ca3d957
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f28e5ab4c2321dcf913e49901334185d
SHA1ed968091ba6aac5902e700657bd3dc6cc4d0f2d5
SHA256244c9c4cb0dca8d74f3eaae6383c27458acc4eac9f39f3ad77badfd96e7f0daa
SHA51225fd0c1ae39160c86fe2f0a0abcda44be6e1c4f919f60d2d937372f2537c18054b11c9f786b517496256484506ddee83a234295305c619f7fef83282a4cf7945