Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 04:30
Static task
static1
Behavioral task
behavioral1
Sample
4e6c5f2e8ed845b2a3b03db18c169284_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
4e6c5f2e8ed845b2a3b03db18c169284_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
4e6c5f2e8ed845b2a3b03db18c169284_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
4e6c5f2e8ed845b2a3b03db18c169284
-
SHA1
902602d945d54c528acf71134a57490126118b7c
-
SHA256
9d793dff706f4db5ee042d8e953078093298578849151593641db17e479b739d
-
SHA512
7479fc1c3e61bee61661733832d5135d05b5a7b34c61b4d4441cc1df1b29b9be177f06334e03e1a6ee581770b46d8c6d7d90109b7026f437a4c60cd8b03ce798
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3226) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2864 mssecsvc.exe 1884 mssecsvc.exe 2704 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\WpadDecisionTime = 80a92a0a13a8da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\82-f1-3d-f4-cb-9d mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0085000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d\WpadDecisionTime = 80a92a0a13a8da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D7D33897-E920-4B4C-BF10-C6A364CD478E}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-f1-3d-f4-cb-9d mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2648 wrote to memory of 2832 2648 rundll32.exe rundll32.exe PID 2832 wrote to memory of 2864 2832 rundll32.exe mssecsvc.exe PID 2832 wrote to memory of 2864 2832 rundll32.exe mssecsvc.exe PID 2832 wrote to memory of 2864 2832 rundll32.exe mssecsvc.exe PID 2832 wrote to memory of 2864 2832 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4e6c5f2e8ed845b2a3b03db18c169284_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4e6c5f2e8ed845b2a3b03db18c169284_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59a99b7154faa6c48660d3dca1ea8ff61
SHA1b0032dcab2b92a549bcba3843888210d32c44bd8
SHA256545b7a1966206b6cc47cbbe3f74008898dec644a79d36c6ff9c7941d83fc9ef3
SHA51223c63bb6d2f5039eab075c140609b11574e6075e8b621a85a9561741948a7401b06b38cac58217e6b976f5eff738c3cf652668f4f5c9f022f2e73c1ebbf3768d
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5af29815495f198e50e12f45a40e61243
SHA1466b564b77a858092b9a2d840480f64f01e93139
SHA256c1c4a6518885dec0efa3d9e6bd5a51191e504e7081708c7de3f7d4c1f8c4523f
SHA51212bd05d06d9c8d2f407eaac58b34d93d2f76c142b053f25375766af2d5dce78cf76cb55c0a1f6acd6b44ff7f644a1e919bef8ca6ddb74ea5edd42185be4cc648