Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 21:55
Static task
static1
Behavioral task
behavioral1
Sample
51aab375aea5501d903d3a80d3f1dbbf_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
51aab375aea5501d903d3a80d3f1dbbf_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
51aab375aea5501d903d3a80d3f1dbbf_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
51aab375aea5501d903d3a80d3f1dbbf
-
SHA1
62429059285483ef1140d06914e528bf704e4577
-
SHA256
ea90471e9d4dbae983656969be57fc3ecbc6f68bff93888f5e712644be95b69f
-
SHA512
c6d988e43db3c17f0a53b0247c8aa087b6c1defb29560302116569d1c0aee976e0852b3d3aef37da06c199d150dce3d62a3631d85e1a88a8b737388ef494486d
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P59Bc/J:TDqPe1Cxcxk3ZAEUadAJ
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3235) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2148 mssecsvc.exe 2296 mssecsvc.exe 2624 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f6-bf-44-47-65\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}\82-f6-bf-44-47-65 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f6-bf-44-47-65\WpadDecisionTime = 10c701fda4a8da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f6-bf-44-47-65\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{11E9293E-A4D7-48DC-B5DE-6E9D8FF017F5}\WpadDecisionTime = 10c701fda4a8da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f6-bf-44-47-65 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2104 wrote to memory of 2792 2104 rundll32.exe rundll32.exe PID 2104 wrote to memory of 2792 2104 rundll32.exe rundll32.exe PID 2104 wrote to memory of 2792 2104 rundll32.exe rundll32.exe PID 2104 wrote to memory of 2792 2104 rundll32.exe rundll32.exe PID 2104 wrote to memory of 2792 2104 rundll32.exe rundll32.exe PID 2104 wrote to memory of 2792 2104 rundll32.exe rundll32.exe PID 2104 wrote to memory of 2792 2104 rundll32.exe rundll32.exe PID 2792 wrote to memory of 2148 2792 rundll32.exe mssecsvc.exe PID 2792 wrote to memory of 2148 2792 rundll32.exe mssecsvc.exe PID 2792 wrote to memory of 2148 2792 rundll32.exe mssecsvc.exe PID 2792 wrote to memory of 2148 2792 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\51aab375aea5501d903d3a80d3f1dbbf_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\51aab375aea5501d903d3a80d3f1dbbf_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2148 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2624
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2296
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fd57cd67ca6943cf19388c74caaf8ec1
SHA1141f26f0dcb0071ecded6fd3ec1d09b3d0f7fd46
SHA256d6767479d1b2b1908de550a7b45c93a8405b28700cda845f3248200310bc0585
SHA512755379c67d685fc5aac89444f779fb9f397802d619e1a6d4388be78760dea54f33c29076876fee7d32fb3ecb9e6bb88093eaae246103b43320c90ec825bfe5e7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD54a5ffc4ccab9af3e5654f447bcb1f85d
SHA16b5b5bafbff65372e102ab1c06cbf1f09d47cf84
SHA256aac6b9f1b96c9d7c14cbb9600f00e4dcbb4f257772fb7b4eed4e0fa4c724286d
SHA5125f0699c6cc8f1a5fdc11e2aa1f0f574cdfe05daaf5d5f7b959c595d0b48e2f34fc9a5cd755b296963a09b0dd7e3cedddf733e21b8abdfee06ca0ecf501c6df0c