Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 09:40
Static task
static1
Behavioral task
behavioral1
Sample
2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2e81b88e80f28aec66d7cd5133ecc2f9
-
SHA1
94035e850ee7a618473d53c2f592895f654600b0
-
SHA256
543b7b9393bd9202177b9ab87b27351818c8ad497a4c98eac678cb893f2a66b0
-
SHA512
9d94bc5d0a1d685c06d1bd4eed74fb0f47c8de65b71bbd010e93f708f8d8e9214e27697d35a5ce3c91e610a192d6f68f327477a7e3abb80d5e2104a0b27ade72
-
SSDEEP
98304:+DqPoB5xcSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPGxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3124) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2504 mssecsvc.exe 2672 mssecsvc.exe 2688 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-09-9d-ae-27-bc\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{859CD7CC-650D-4F1A-8F81-0CDC4EE12EF0}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-09-9d-ae-27-bc mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{859CD7CC-650D-4F1A-8F81-0CDC4EE12EF0} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{859CD7CC-650D-4F1A-8F81-0CDC4EE12EF0}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-09-9d-ae-27-bc\WpadDecisionTime = b0a97223bea2da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{859CD7CC-650D-4F1A-8F81-0CDC4EE12EF0}\WpadDecisionTime = b0a97223bea2da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{859CD7CC-650D-4F1A-8F81-0CDC4EE12EF0}\f6-09-9d-ae-27-bc mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f6-09-9d-ae-27-bc\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{859CD7CC-650D-4F1A-8F81-0CDC4EE12EF0}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2036 wrote to memory of 2900 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 2900 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 2900 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 2900 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 2900 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 2900 2036 rundll32.exe rundll32.exe PID 2036 wrote to memory of 2900 2036 rundll32.exe rundll32.exe PID 2900 wrote to memory of 2504 2900 rundll32.exe mssecsvc.exe PID 2900 wrote to memory of 2504 2900 rundll32.exe mssecsvc.exe PID 2900 wrote to memory of 2504 2900 rundll32.exe mssecsvc.exe PID 2900 wrote to memory of 2504 2900 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2e81b88e80f28aec66d7cd5133ecc2f9_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2504 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2688
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58f7cb9b5f1ee6834427ce656255ba45c
SHA17fa33d93126aeef2c30659dc83d5aeaaf1aa0e49
SHA256760417e8a56f54d22ed1dbd170dd33868a0c332d197b1c16fe47b89269528717
SHA512d7a3d574fecb7e45b7d82d53f22c45e20179c6d7aa0d2eb0970380a8188f369a2c0214aa76bf66128f315a7d3365a0189ca940929bc9580a3e3db01c07cb0835
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5618f30960ee31b3f9433b9b994786487
SHA13b5b43220ab723eb7f9aaa5c9a2b542ee07ec07d
SHA256b28dca71a461f588bc8ccbe32831c9750864c6c20c8ead15027d43e0242efa9e
SHA51246b892cf875df79750b9fa996ce4484bfdd4cc21a8850b0ea5b31a008fcd276f2d52523ac5534d416a434120c9ded1bc78edaf5b72a23f5f71331af2142ab39a