Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 15:54
Static task
static1
Behavioral task
behavioral1
Sample
2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2fe3b52fc337d3a1a1cdca0f48f46773
-
SHA1
f8e4e3df09e914f104fb7f64d4cdf2c6d0e9a76b
-
SHA256
89d54bd2f03dcdc4703e8b457edc8559e74c9eb56a0fe0c18eb4b7c2c0367f4b
-
SHA512
f51102d052b9ce4c4d78139d5cfa1e35fc5427c7e8af8380a839f875a60bd8ecc63f2150e7fd6b910321fd57ea2fac0ea39330c759838259ac709ec1756c54b9
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593ip2H:+DqPe1Cxcxk3ZAEUadzi4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3271) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2088 mssecsvc.exe 1068 mssecsvc.exe 2708 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadDecisionTime = b0dde669f2a2da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69\WpadDecisionTime = b0dde669f2a2da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\1e-54-26-97-c6-69 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0037000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\1e-54-26-97-c6-69\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{59B4FFF4-4CCA-4547-9197-942EEE1F7D85}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1724 wrote to memory of 1880 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1880 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1880 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1880 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1880 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1880 1724 rundll32.exe rundll32.exe PID 1724 wrote to memory of 1880 1724 rundll32.exe rundll32.exe PID 1880 wrote to memory of 2088 1880 rundll32.exe mssecsvc.exe PID 1880 wrote to memory of 2088 1880 rundll32.exe mssecsvc.exe PID 1880 wrote to memory of 2088 1880 rundll32.exe mssecsvc.exe PID 1880 wrote to memory of 2088 1880 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe3b52fc337d3a1a1cdca0f48f46773_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2088 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2708
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1068
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5d9dce092aed3030e2a500f8c6b1d892e
SHA16829f556957c3d54c6c9b6342339d2a72bafda72
SHA256490b71b9d0552dc07ee5d57aef16ee95c4d61e8126a59065f83fa6d739493dfd
SHA512495f3735246d700dc4fbf33be3a77f03916d9d8e4e6aa00d4d387fcd91eb4c7ddd9a7d07979f5476dc8f0d70cdc7fb3e48c7370ef4f454420ae930bb7d97ddb8
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5706fb84b80387399862b77592a003faf
SHA1fcdff5d4e29f7d4aca362afe53554309f4106f4c
SHA256ff8b504e2c6b1e62693f64f39b2fd9ac5c3e0d33c54cab137f0465d3e22f2a91
SHA51255219a69ce37eb2c219dae7940f9a2b936b46333529ac4618a72dd29aaa580b1506d3e8734a1c3d8f38c65509f7f80647747321313ca74c61f05de8dedf3731d