Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
2ecf5172bc5e7637f593dcf9384f398c_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2ecf5172bc5e7637f593dcf9384f398c_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
2ecf5172bc5e7637f593dcf9384f398c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2ecf5172bc5e7637f593dcf9384f398c
-
SHA1
bc370c26f5de99195c5aa9d764c4f42994d0895b
-
SHA256
7e4c00260e5ddce714d067a9a77fe362d332c4b37aaeb86af6de4336338140ec
-
SHA512
d9c9c8302de8507943b5cce5268bc039dd2baccf81655cb32249810d921180ff5e68ea98f22f755940fdb0d6ddb61d008601a00c512cd8e1fef946c715fbe4a4
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBhz1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3196) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2032 mssecsvc.exe 2608 mssecsvc.exe 2576 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\d6-eb-17-fc-7a-1c mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c\WpadDecisionTime = e0551f61caa2da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadDecisionTime = e0551f61caa2da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2024 wrote to memory of 2032 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 2032 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 2032 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 2032 2024 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ecf5172bc5e7637f593dcf9384f398c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2ecf5172bc5e7637f593dcf9384f398c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2576
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2608
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5034fc14d89e4a86611c7e93506e11c09
SHA153fadf08e7a1b35ef56469aec2596765c7211629
SHA256af319064db5f71cd01891a7052e06fc603739864657cd65fc31693fe381c2e8e
SHA51254a867b6a4bf45e8022cc566f3656998cdf28d4cfa274eb4dbfb4cabacfec519caaa81b43e782599d73ed9dd23c55b1fb85695f0edf4b3ed0f1ef713963ee9da
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5007ca7909e171cde207dfbbc7755b436
SHA13b7969830d704e522ec8d9acdbb5c2b9c2a60484
SHA2564e8b451fa36413c78a8979e64f53a86b9a1354d9f587b59fa4985f791f6be78c
SHA512d32212b0a23d184e1232b98bc2016517058af56314b17e25a28723ef98429c2f202146c2d80da653e34fabdb6f97d1cc406ccd9c9b650ecd8d5f4151bfe7e0ea