Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-05-2024 14:38
Static task
static1
Behavioral task
behavioral1
Sample
3aa00668bdb6867cfe145f440dddcdec_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3aa00668bdb6867cfe145f440dddcdec_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
3aa00668bdb6867cfe145f440dddcdec_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
3aa00668bdb6867cfe145f440dddcdec
-
SHA1
d45814cd9e8f60e29183d2477d0c478aa0f0a548
-
SHA256
b05aa7875251b7dd9e6a67f22bd2e0f9ae6a47f5b1017a98d657fe3b02187e9f
-
SHA512
aebf302a5e12d4863ae83c594f0c912c046c87aca9e1c88a346c76e7fe0045c196672f6c667aa639bef68aa85536bd837ee6949b34dfc9bd07de029f70f99c29
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAk3R8yAH1plAH:+DqPoBhz1aRxcSUDk36SA73R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3215) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3040 mssecsvc.exe 1644 mssecsvc.exe 2300 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008e000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B449418-8E9A-4EC0-9EB4-692E90704461} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B449418-8E9A-4EC0-9EB4-692E90704461}\WpadDecisionTime = d0c1d9167aa4da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-50-f9-f5-4c-41\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B449418-8E9A-4EC0-9EB4-692E90704461}\96-50-f9-f5-4c-41 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-50-f9-f5-4c-41\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-50-f9-f5-4c-41\WpadDecisionTime = d0c1d9167aa4da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B449418-8E9A-4EC0-9EB4-692E90704461}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B449418-8E9A-4EC0-9EB4-692E90704461}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-50-f9-f5-4c-41 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2B449418-8E9A-4EC0-9EB4-692E90704461}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2928 wrote to memory of 2996 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2996 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2996 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2996 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2996 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2996 2928 rundll32.exe rundll32.exe PID 2928 wrote to memory of 2996 2928 rundll32.exe rundll32.exe PID 2996 wrote to memory of 3040 2996 rundll32.exe mssecsvc.exe PID 2996 wrote to memory of 3040 2996 rundll32.exe mssecsvc.exe PID 2996 wrote to memory of 3040 2996 rundll32.exe mssecsvc.exe PID 2996 wrote to memory of 3040 2996 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3aa00668bdb6867cfe145f440dddcdec_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3aa00668bdb6867cfe145f440dddcdec_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3040 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2300
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f5fdad1cce51d837d8da1bfe592c8155
SHA15c4e3ee8537354a8a5e9d00ecc102b06feacef39
SHA256c70b439b2d8d42854cc36b6697910f3d6e97e760092d7d71b808a837f9f5b636
SHA51263484a11dec11bdc7f79ab600a84bd69b9e472f1e65cd7d4e08b37ef72da78f60a5cba8352f6d1c7055478ab623a3a082b5d10d03a93a3830272260c863d8b16
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD52c36f78fe38ba35d7f013dd88da5896c
SHA1d0ef8751cb49bb0ff9fea9953e489835aa79f272
SHA25694c6862322ee06e6cc6c58466536f9e641a5fd4b53efde59ba7d26fb4cc1785d
SHA51281651750599423a5778328e3f2451d5b672ee96b6afbd95487d6c266ab8fbe81b6ed679f2ffdccb20c304cec63a12bab7e37a41616e1ea2da8051a078f57780b