Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 21:37
Static task
static1
Behavioral task
behavioral1
Sample
56ebabfe5ac52c06923fa1fd5e76fd49_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
56ebabfe5ac52c06923fa1fd5e76fd49_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
56ebabfe5ac52c06923fa1fd5e76fd49_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
56ebabfe5ac52c06923fa1fd5e76fd49
-
SHA1
307f347723d234984a2f1c152325a12f0d1ec333
-
SHA256
a274d7771f1d7d0ef7133f3a00502267c7d03c48f4a491b075527915dc95c329
-
SHA512
212469b9559b1ee55fe026719499e9330737972c9951104c0dd9e74a31d715be2ac7314c07d7e17f143e894bb7b898133bf4a3f9fd851a57bc663ec259bc8008
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQjGL4kqAH1pNZtA0p+9XEk:znAQqMSPbcBVQejLyAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3299) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1680 mssecsvc.exe 2612 mssecsvc.exe 2568 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94A96D3C-8A18-4E4F-AE37-BE10AB0188D8}\WpadDecisionTime = c00b54a36ba9da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-de-bd-51-da-23\WpadDecisionTime = c00b54a36ba9da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-de-bd-51-da-23\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94A96D3C-8A18-4E4F-AE37-BE10AB0188D8}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94A96D3C-8A18-4E4F-AE37-BE10AB0188D8}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-de-bd-51-da-23 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\9e-de-bd-51-da-23\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0035000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94A96D3C-8A18-4E4F-AE37-BE10AB0188D8} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94A96D3C-8A18-4E4F-AE37-BE10AB0188D8}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94A96D3C-8A18-4E4F-AE37-BE10AB0188D8}\9e-de-bd-51-da-23 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2740 wrote to memory of 1176 2740 rundll32.exe rundll32.exe PID 2740 wrote to memory of 1176 2740 rundll32.exe rundll32.exe PID 2740 wrote to memory of 1176 2740 rundll32.exe rundll32.exe PID 2740 wrote to memory of 1176 2740 rundll32.exe rundll32.exe PID 2740 wrote to memory of 1176 2740 rundll32.exe rundll32.exe PID 2740 wrote to memory of 1176 2740 rundll32.exe rundll32.exe PID 2740 wrote to memory of 1176 2740 rundll32.exe rundll32.exe PID 1176 wrote to memory of 1680 1176 rundll32.exe mssecsvc.exe PID 1176 wrote to memory of 1680 1176 rundll32.exe mssecsvc.exe PID 1176 wrote to memory of 1680 1176 rundll32.exe mssecsvc.exe PID 1176 wrote to memory of 1680 1176 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56ebabfe5ac52c06923fa1fd5e76fd49_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\56ebabfe5ac52c06923fa1fd5e76fd49_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD58e131c7f6517cbf9d312f9a7c5cebd96
SHA1eb87deb9b58fc77c3daa219977e351c0f4cabad9
SHA2560ab2b0b27a99e38f273db3ce1574ee5a8f800c7f14c7873035b3d54fe9054562
SHA51286ec30f84132b446b00b8f128434bbc0576d1c33c83b33c1e45a559c40867ca8a2a2350a2f64e008985f08dfc266e178a9f0acb3a1f2461ac2fbd68fadc60582
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD55523234d2bf6d8bd47edf8cf1f7a2401
SHA100f49a644e2a2a566974920077e0e3eca2a4d047
SHA256453e9160c63ca49b3fb2f1258d7cd828a1076845ad75ef1639154ca96b5dfbae
SHA512176595185809f72c66e4b58f67efd43009e543b2da64bf9089fbc085a5e7908c8a1ef371ab69226439fc92fd7c306366d2cdfe5347342d7775e2980388c4bff9