Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
10-05-2024 15:56
Static task
static1
Behavioral task
behavioral1
Sample
2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
2fe52d89a67c9906720d04670dcfbaee
-
SHA1
0b661cade27f643d76c471db33729a8b795639da
-
SHA256
27f6f8bc00bde8c8c6b5692388bf4458131a940814a1a903065bfdc2cfed0fde
-
SHA512
f719bec24ddc570b30a529746dc3c68d6d81604efa9e0583b35c77cfe3d60824f3390cd8bbdaa9294c0f8781d2eff79ed7ac5ac1643c42459afb03a3374a6fd8
-
SSDEEP
98304:+DqPoBQ1aRxcSUDk36SAEdhvxWa9P593R8yA:+DqPn1Cxcxk3ZAEUadzR8y
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3337) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2268 mssecsvc.exe 2528 mssecsvc.exe 2808 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-7c-29-fd-05-5d\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6EBA8636-7EDA-43B6-A584-1E3C48F63A5D}\WpadDecisionTime = 902f29a0f2a2da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6EBA8636-7EDA-43B6-A584-1E3C48F63A5D}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6EBA8636-7EDA-43B6-A584-1E3C48F63A5D}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6EBA8636-7EDA-43B6-A584-1E3C48F63A5D} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6EBA8636-7EDA-43B6-A584-1E3C48F63A5D}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6EBA8636-7EDA-43B6-A584-1E3C48F63A5D}\72-7c-29-fd-05-5d mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-7c-29-fd-05-5d\WpadDecisionTime = 902f29a0f2a2da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-7c-29-fd-05-5d\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f013d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\72-7c-29-fd-05-5d mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2872 wrote to memory of 2924 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2924 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2924 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2924 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2924 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2924 2872 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2924 2872 rundll32.exe rundll32.exe PID 2924 wrote to memory of 2268 2924 rundll32.exe mssecsvc.exe PID 2924 wrote to memory of 2268 2924 rundll32.exe mssecsvc.exe PID 2924 wrote to memory of 2268 2924 rundll32.exe mssecsvc.exe PID 2924 wrote to memory of 2268 2924 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2fe52d89a67c9906720d04670dcfbaee_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2268 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2808
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD539257dbef45a759e3c44d0be045d8d61
SHA1f75daf7947b40ce133359a29d84469b833f69a20
SHA256ed3cb02276d4e304a8403ee3ebfb156e5b46e739f3e72cf91dd42ae9bbbfc9f7
SHA512e06c4f54c854aaf76bb240457cc74c2bdeb26337daadec480b074719737a0993bfdd238f9c768a25a2fc37f06dbd6971ad185824875b086b4894a4237032d133
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD56298fb6f109a807ddfac1f8dcc014335
SHA136ad7ca09f15a364f8174df1f2f0b559454464c6
SHA256a4ab229ff389272762db421d8591db5b272b8aa831823df71ba35fad98d7ba1d
SHA5120eb439156c26088ec3516f472b6d05311b9cef226dd249d2932f4cd267e122bbc44cec031b924f8053d6013f9f34ecaca5ee874ee01cdd2ed662a9535549f345