Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 04:49
Static task
static1
Behavioral task
behavioral1
Sample
3856ef42d7ce6f8d6846d7dcdea1cc49_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3856ef42d7ce6f8d6846d7dcdea1cc49_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
3856ef42d7ce6f8d6846d7dcdea1cc49_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
3856ef42d7ce6f8d6846d7dcdea1cc49
-
SHA1
4c8b980864fba332a123ebfd54c162792fe5bfc7
-
SHA256
0425190cd56bfb638636057a1714fb3315da5046822e73ff4b1bfced0d92c229
-
SHA512
c0b1bc0441753a355b5d406aa45957c08b8934cc31c7020495b5e76427f8c7dc9cfba1ddbf5995cdacd85be44384e1f5bce297bd89caa3e8b59543f7bb016176
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5ZyAVp2H:+DqPe1Cxcxk3ZAEUad7yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3222) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2476 mssecsvc.exe 2916 mssecsvc.exe 2588 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecisionTime = 50bc3bc927a4da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0081000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\ea-28-a8-cd-b8-72 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1898A27-0D79-4999-BE45-34B77F5023CF}\WpadDecisionTime = 50bc3bc927a4da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-28-a8-cd-b8-72\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2172 wrote to memory of 1532 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 1532 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 1532 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 1532 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 1532 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 1532 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 1532 2172 rundll32.exe rundll32.exe PID 1532 wrote to memory of 2476 1532 rundll32.exe mssecsvc.exe PID 1532 wrote to memory of 2476 1532 rundll32.exe mssecsvc.exe PID 1532 wrote to memory of 2476 1532 rundll32.exe mssecsvc.exe PID 1532 wrote to memory of 2476 1532 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3856ef42d7ce6f8d6846d7dcdea1cc49_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3856ef42d7ce6f8d6846d7dcdea1cc49_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2476 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2588
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD523022312fd0eb362acd51a62e69185d4
SHA1deb9d113e39e66301635ca6f72f7bfc258dfea6a
SHA25690713884f770c6608d27ed23c9a5dc983a3351b46ae5b76e9480cfa7c6331c0c
SHA512face22acf5004cc0c50699394f623e9dde94d0df34efe30f4a5874e2269131d12cbe1f5551bd0708176df8c164b02bc90e5f8d20cd4790cd746d26b3b2baed2b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f2a03186491eb9a7b49b33fea7504a29
SHA14a4996abe06cee5fdb6442092db06c7c191af893
SHA25648832f220035f46a949838de7e782963a57d8d4ac8f094847f7eb2efdfbe7a3e
SHA512c1bd8c6c08324fd9b01c13bb733cc00845832acb0f60c86381ad368ddf817cde5fbca8195b45bd1fdd7062ebb3c4de7e054910542b27a3973f7af16318d56d09