Analysis
-
max time kernel
128s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 01:17
Static task
static1
Behavioral task
behavioral1
Sample
52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
52273974a0123165fa8fbd867fa6dce5
-
SHA1
35f1258534d55dd40ad036af00a7b82cb692843d
-
SHA256
022c9efcf232fdfabcfba1423deb8ade3a49ae6480bddd4d58b4ca712e2ebd02
-
SHA512
389091e8ebbbbeb2709bed52ee3cbb7149a8f4f283c49cbf35ccbc93437f3472a4c272ab401ca3f22eadcfce067bfde179a1be1a9dbf07aa6c8ea53506ca9744
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIwQ2bYy:SnAQqMSPbcBVQej/
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2571) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2900 mssecsvc.exe 2508 mssecsvc.exe 2672 tasksche.exe -
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-44-fa-05-dd-51 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-44-fa-05-dd-51\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0076000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7}\WpadDecisionTime = f0bbdc3ac1a8da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{94ABF82B-B9EB-4DA9-BD02-A10312DA8EE7}\8e-44-fa-05-dd-51 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-44-fa-05-dd-51\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-44-fa-05-dd-51\WpadDecisionTime = f0bbdc3ac1a8da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2904 wrote to memory of 2100 2904 rundll32.exe rundll32.exe PID 2904 wrote to memory of 2100 2904 rundll32.exe rundll32.exe PID 2904 wrote to memory of 2100 2904 rundll32.exe rundll32.exe PID 2904 wrote to memory of 2100 2904 rundll32.exe rundll32.exe PID 2904 wrote to memory of 2100 2904 rundll32.exe rundll32.exe PID 2904 wrote to memory of 2100 2904 rundll32.exe rundll32.exe PID 2904 wrote to memory of 2100 2904 rundll32.exe rundll32.exe PID 2100 wrote to memory of 2900 2100 rundll32.exe mssecsvc.exe PID 2100 wrote to memory of 2900 2100 rundll32.exe mssecsvc.exe PID 2100 wrote to memory of 2900 2100 rundll32.exe mssecsvc.exe PID 2100 wrote to memory of 2900 2100 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\52273974a0123165fa8fbd867fa6dce5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2900 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2672
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54baf69383a9fc1b6da854b63272e300f
SHA108ea3eb52583c2fd25ee7dc6a19ef5fa6c199138
SHA25604910bfe3dab5e3d912b28c4c94614d9b826bb261dbe5135e3cca5f854624221
SHA51213f6995db6ddb62f3731105af44cf500daff1f365324c45ce24da2d9026f853db57ca2a9e3a1f29e5c87c9f2655a4b6a6f6b5f761e93b1f541b4752559cd9278
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c5df4ec60f1f3a939577111217672171
SHA10eee00b69479940e562650d8fa31f7e89678152f
SHA2568ff377030e6bc316de9d062090a780542d7512ca4debc1e21c78f5a4720b7d2f
SHA5122f9d784fde6ff56cbc2c1e355c7a2288d34722b0f8adbe9c50ddebb4cb0380f926323f83222f8182c101d2190a7aff7f9f0f67c96ce00a20a9e7c8af9248c0f5