Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 23:07
Static task
static1
Behavioral task
behavioral1
Sample
4379cf61c84bc977e3ca7cf96f81c6c9_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4379cf61c84bc977e3ca7cf96f81c6c9_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
4379cf61c84bc977e3ca7cf96f81c6c9_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
4379cf61c84bc977e3ca7cf96f81c6c9
-
SHA1
6b8120e8c6911aaea757d9b25bdb8b7d6a6d2923
-
SHA256
5afe1af7c8e1d6d57a05c8d8124e5482f5f93d53e35a3901bfd5bdaea666e2a1
-
SHA512
0a27bd875fc38beeaf0cd72840a49bdc576b7da9def191c75c21bd37243abe1d739417dce6643d28a254266bcae030537d08d8e75339cfff3a219aaf71977ca3
-
SSDEEP
98304:+DqPoBhz1aRxcSUDXdhvxWa9P593R8yAVp2H:+DqPe1CxcxXUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3068) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2120 mssecsvc.exe 2644 mssecsvc.exe 2740 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\5e-dd-44-d3-61-61 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecisionTime = 40b0ce7953a6da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecisionTime = 40b0ce7953a6da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2876 wrote to memory of 2244 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2244 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2244 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2244 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2244 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2244 2876 rundll32.exe rundll32.exe PID 2876 wrote to memory of 2244 2876 rundll32.exe rundll32.exe PID 2244 wrote to memory of 2120 2244 rundll32.exe mssecsvc.exe PID 2244 wrote to memory of 2120 2244 rundll32.exe mssecsvc.exe PID 2244 wrote to memory of 2120 2244 rundll32.exe mssecsvc.exe PID 2244 wrote to memory of 2120 2244 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4379cf61c84bc977e3ca7cf96f81c6c9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4379cf61c84bc977e3ca7cf96f81c6c9_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2120 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2740
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55158b00828ce20ecbeca10af0fee06a0
SHA1da8326e8fb5f94566500b152f9d434d7e7232999
SHA256da0264e42ca665c9e5788d11a2c23f9ed29f984cb48c3dbc58e7372f6e2406ed
SHA512ddc75964735125eab1b8d1ae431112b5f6d68a77bc84f038fc69d5fc333698fe22babc286110ce1ae1013bde309ed0e00ac9f2d04137d3b2c0ac33144133185b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50bf76c07bc449929c39ea15852d5f84f
SHA19e3d9d13a6102a9f04f14dfef0862f16e48f30e0
SHA2567eb3e0b29552122441b6ffd26a315cce30b794ef49ae239f5b63e6eaaba23a71
SHA51242465d1b8d060fcd27a3af680af00f7fd75093a0b31c45c69a86599ae18ee1234b2821e6ebf540a3ffd4b3d54b6e3962593dc9c9c928eca77ceac42c4dd5d809