Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-05-2024 09:15
Static task
static1
Behavioral task
behavioral1
Sample
33d9881cf386853f2ffad76685b9340d_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
33d9881cf386853f2ffad76685b9340d_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
33d9881cf386853f2ffad76685b9340d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
33d9881cf386853f2ffad76685b9340d
-
SHA1
b46a85f2adfe51c43342d536f2fde4328ac6a2d6
-
SHA256
f17efd607395c546c7cd870a05f5cebf607609e051047df8ef4d8dc831b50760
-
SHA512
130904e9035884573b55cbe3c4bd2f9040ae9a20aa4d6274148153c39564c764bc3410c7e9fafd980fec2390abd960460e92ed020b1ce387869a525eb43ada8a
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3320) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3068 mssecsvc.exe 3040 mssecsvc.exe 2676 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{822F5F2E-9447-4FC2-9826-69DCB4956D38} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-bc-26-6c-29-8a mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0109000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{822F5F2E-9447-4FC2-9826-69DCB4956D38}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{822F5F2E-9447-4FC2-9826-69DCB4956D38}\06-bc-26-6c-29-8a mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{822F5F2E-9447-4FC2-9826-69DCB4956D38}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{822F5F2E-9447-4FC2-9826-69DCB4956D38}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{822F5F2E-9447-4FC2-9826-69DCB4956D38}\WpadDecisionTime = e03c93c983a3da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-bc-26-6c-29-8a\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-bc-26-6c-29-8a\WpadDecisionTime = e03c93c983a3da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\06-bc-26-6c-29-8a\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2356 wrote to memory of 2836 2356 rundll32.exe rundll32.exe PID 2356 wrote to memory of 2836 2356 rundll32.exe rundll32.exe PID 2356 wrote to memory of 2836 2356 rundll32.exe rundll32.exe PID 2356 wrote to memory of 2836 2356 rundll32.exe rundll32.exe PID 2356 wrote to memory of 2836 2356 rundll32.exe rundll32.exe PID 2356 wrote to memory of 2836 2356 rundll32.exe rundll32.exe PID 2356 wrote to memory of 2836 2356 rundll32.exe rundll32.exe PID 2836 wrote to memory of 3068 2836 rundll32.exe mssecsvc.exe PID 2836 wrote to memory of 3068 2836 rundll32.exe mssecsvc.exe PID 2836 wrote to memory of 3068 2836 rundll32.exe mssecsvc.exe PID 2836 wrote to memory of 3068 2836 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33d9881cf386853f2ffad76685b9340d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\33d9881cf386853f2ffad76685b9340d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3068 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2676
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3040
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5effdba0b065ac5063a35e8778e6707a6
SHA11d2da67f250705d86d969da4311d0a977fdf9239
SHA25689d714fa7f3b6398e36ae8f690e70fadc14a339136bf0bf9226bca9cae79f639
SHA5127afda939ae0fed2f4b3f19ed170811ba76e3800607eea9238d07119176df39a923a50a9315e1498d9f8bd7c4e06fd4324dd91e4a552b34e3db1c09b40fc7bea8
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b19c3d16e15df9ca9773be40f2f5f3e2
SHA12d6e8d30ccfb42813d1dca14bdff463d115052ad
SHA25654e859d3814ff99b3152885ec84a1e743e8b1884a41c01a53ef480fde0b07fd7
SHA5129623e9115848a79577a6e76968321d7e348f88a7dca31760170f3276e868d606d38da2024cdb67e0d8b0c4ddacc8e916ae61c0aab931a206604f195020d6f2ec