Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-05-2024 10:44
Static task
static1
Behavioral task
behavioral1
Sample
4aae8d3248aae366d8668eefc8e4ecbb_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4aae8d3248aae366d8668eefc8e4ecbb_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
4aae8d3248aae366d8668eefc8e4ecbb_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
4aae8d3248aae366d8668eefc8e4ecbb
-
SHA1
4488bcf800d2e04e4ca388df134868e38c1a6fd6
-
SHA256
355b6070cd2a0b31c9b42b62c14b8b6dc4ee857152a1e1b501b6cbda73e9a0b6
-
SHA512
2256097b284f4a328a617131bb2a43b82064b735c3f2efb5c2b2f7b1f98728f9030c9d7e6e243e41722deee99dbe7b8cc942816ef69eee3d747a708be4010805
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0q1LJMfcH9PO6LLuYAMEcpcL7:SnAQqMSPbcBVqxJM0H9PAMEc
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3223) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3036 mssecsvc.exe 2672 mssecsvc.exe 2712 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF0CEC56-E98F-44C4-995D-69849CDD7EE8}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-c9-7a-3d-a3-5a mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-c9-7a-3d-a3-5a\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-c9-7a-3d-a3-5a\WpadDecisionTime = 103e51047ea7da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF0CEC56-E98F-44C4-995D-69849CDD7EE8} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF0CEC56-E98F-44C4-995D-69849CDD7EE8}\WpadDecisionTime = 103e51047ea7da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF0CEC56-E98F-44C4-995D-69849CDD7EE8}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF0CEC56-E98F-44C4-995D-69849CDD7EE8}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF0CEC56-E98F-44C4-995D-69849CDD7EE8}\fa-c9-7a-3d-a3-5a mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-c9-7a-3d-a3-5a\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2208 wrote to memory of 1280 2208 rundll32.exe rundll32.exe PID 2208 wrote to memory of 1280 2208 rundll32.exe rundll32.exe PID 2208 wrote to memory of 1280 2208 rundll32.exe rundll32.exe PID 2208 wrote to memory of 1280 2208 rundll32.exe rundll32.exe PID 2208 wrote to memory of 1280 2208 rundll32.exe rundll32.exe PID 2208 wrote to memory of 1280 2208 rundll32.exe rundll32.exe PID 2208 wrote to memory of 1280 2208 rundll32.exe rundll32.exe PID 1280 wrote to memory of 3036 1280 rundll32.exe mssecsvc.exe PID 1280 wrote to memory of 3036 1280 rundll32.exe mssecsvc.exe PID 1280 wrote to memory of 3036 1280 rundll32.exe mssecsvc.exe PID 1280 wrote to memory of 3036 1280 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4aae8d3248aae366d8668eefc8e4ecbb_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4aae8d3248aae366d8668eefc8e4ecbb_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3036 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2712
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2672
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5a303d486ce83611c43af4d855ec57b2c
SHA120dfe2de8d0a96740fe254cbe13a22517c2c62a6
SHA256ef5bb4a97017fefa400253ffd59d97ac696d5ca25a45542661d57a3fc2f6ddab
SHA5125235609cd3791eb191bd4460ce78c69fbb4751c55bddac26d870eba91c0db2cb82a1c66035262bbce238aa6db6083c377b959a2432a9de81a024f2761f50d4b9
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5abcfd0c00b5ee280a6b3eea836a18236
SHA13bf894472fa97223d8b900093b9c39ba0d24eaae
SHA2564c7ab12b933942b311a8ee1a394a844869c0e3297f8dd645a99fbd67efd30974
SHA512478e9e39aa1bdf2d4f68a6af469d387348d05a0643b9d75ca8a39d6e7a29291c1e95d4a31fc38cec79d9c5b38666e4e0a9626745635886a4a80d5d4ab6a505d3