Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 11:00
Static task
static1
Behavioral task
behavioral1
Sample
2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2ec7d1f90d57b3f3e5057e3b032bea5a
-
SHA1
63536a6303c855181bf6a57fbf68d6e3b2e55145
-
SHA256
427453cd2e3bada668d880e6eec35e83a92532263df7e69d2f67f30e627edf93
-
SHA512
d0beb1dc06e9fcdcba033c5a7fc39d5453ffafadf6667f6a5fafbfb0a057c4b2e31ac112ccb22a0b80b92c792c0164e5e7e6460652641fcce54978d36a763857
-
SSDEEP
49152:SnAQqMSPbcBVQej/1IN5AMEcQEau3R8yAH1plAH:+DqPoBhz1a55T3R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3170) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2100 mssecsvc.exe 2052 mssecsvc.exe 2640 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0039000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-6f-27-c5-88-1c mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-6f-27-c5-88-1c\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-6f-27-c5-88-1c\WpadDecisionTime = c0e7a159c9a2da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}\WpadDecisionTime = c0e7a159c9a2da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EF1C3EF9-27A5-4F1B-AC59-3D06AD9A4E66}\32-6f-27-c5-88-1c mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-6f-27-c5-88-1c\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1084 wrote to memory of 1816 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1816 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1816 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1816 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1816 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1816 1084 rundll32.exe rundll32.exe PID 1084 wrote to memory of 1816 1084 rundll32.exe rundll32.exe PID 1816 wrote to memory of 2100 1816 rundll32.exe mssecsvc.exe PID 1816 wrote to memory of 2100 1816 rundll32.exe mssecsvc.exe PID 1816 wrote to memory of 2100 1816 rundll32.exe mssecsvc.exe PID 1816 wrote to memory of 2100 1816 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ec7d1f90d57b3f3e5057e3b032bea5a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2100 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2640
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD51b2a00a37ef42709cc56b202a834f8ee
SHA12042224f22294df4629d4f4cb0946761387cbf08
SHA256fdd0e31bbb92fdda81ab4d2a13a3bebff0ba4627a8fb623822a421309765979f
SHA5127dacf94cd985277a88e7a9fe1a2b5ca7eaf2205df65a61f8216e34d3bf75d43ae1c472c20f05c24c2f25c1c163f5541baf4ca7eec03bad56d083101900c84411
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD502fe7a6b7dd8d5ba72d6027753a24d9c
SHA1b950375dc5fdc23af5b40a748963fb80b8bc2e46
SHA256a99fd8d4b4b0ca08f0a5c0687d96207a6d6718e07dfcc8206cb86bea3e8db5ec
SHA512bf101c3f77f8b636cdcd9e516faf51de49598ca6d9b0af1469bff6632766c0b4811966f22c9067ba20753d0cb9f70b216fe43d10f4360c04773a7e97b81efa39