Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
17-05-2024 08:29
Static task
static1
Behavioral task
behavioral1
Sample
4f2bfd712a01aebb799326e1e1db66ff_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
4f2bfd712a01aebb799326e1e1db66ff_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
4f2bfd712a01aebb799326e1e1db66ff_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
4f2bfd712a01aebb799326e1e1db66ff
-
SHA1
21b9dda55b3d7444b82568903d67b2d984440d08
-
SHA256
9bde5e19c245919890fee8337a38a915637eb962134858f4ba1cf52fc77e04bf
-
SHA512
f99145a414d49b6896d98e1f435b269711f51fd54e988dab974a64a77cadd37d63856eff04b779421e116f60c17be4700f1d87b54c011fb77d290561c40d885f
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9E3R8yAVp2H:+DqPe1Cxcxk3ZAEUaUR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3196) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2428 mssecsvc.exe 2340 mssecsvc.exe 2668 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0048000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadDecisionTime = 40eeb26a34a8da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa\WpadDecisionTime = 40eeb26a34a8da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\7e-ee-d0-44-56-aa mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2972 wrote to memory of 2428 2972 rundll32.exe mssecsvc.exe PID 2972 wrote to memory of 2428 2972 rundll32.exe mssecsvc.exe PID 2972 wrote to memory of 2428 2972 rundll32.exe mssecsvc.exe PID 2972 wrote to memory of 2428 2972 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4f2bfd712a01aebb799326e1e1db66ff_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\4f2bfd712a01aebb799326e1e1db66ff_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2668
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56dd1fb0f0f6a9ce1d43b9f7a850fccf7
SHA1c9446988e6590bb3405f771ae4e3f8863244963b
SHA256091c32a21a94673080b1a8b6b66d4e2cd823cb9412e171146fd894998902cf19
SHA512e3cbe5a7518b6501b2544fc2f248fe3c0d554003f12fc7ab355526593d4285599a5730d1b4102e4275179a30107bc7462e56d5c3f60007ba9d78a441870db9d4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5fd38e14572d632ed874b7cae3518eaa5
SHA112b2ef10b1ac6c60e106f2427f7ea471d4a36938
SHA256858ce8d1e99a24dc7666567798d9e938a1d2de20d1448b4804e1cb9bea1f76ea
SHA5127c97076979324650bbf292b23aac2cf1559a5bbff168db0f2189b86b23a3f95ddc12845013d3060637cead2167610da98274fe5a39f8ebe571a27bd136731075