Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 05:32
Static task
static1
Behavioral task
behavioral1
Sample
5331dcc2b7a9dc4c56dcaf9400024e18_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5331dcc2b7a9dc4c56dcaf9400024e18_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5331dcc2b7a9dc4c56dcaf9400024e18_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5331dcc2b7a9dc4c56dcaf9400024e18
-
SHA1
66cb274de4c256c708c35d916b290f820bc3c17a
-
SHA256
9a44bdd3e8bbabec20228aceff16b42a0c9b8cf8ec5d6c33e72a6de7a4bf8625
-
SHA512
d4634d09827cc0892f755b6dabe4bbd7bf2a5e0ad76ee7bdeae6dbcb94e5d244c6d55d5915e2805a299a44687828ee11ad6b3b3a369813567487b6d3b7f9309b
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKzozjeX6SAZBn/:SnAQqMSPbcBVQej/1INu6SA3/
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2340 mssecsvc.exe 2536 mssecsvc.exe 2560 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDED9258-8DCF-4388-96B2-6E292074C4FE}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-db-d7-5b-90-71\WpadDecisionTime = 00fd38c9e4a8da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDED9258-8DCF-4388-96B2-6E292074C4FE}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDED9258-8DCF-4388-96B2-6E292074C4FE}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-db-d7-5b-90-71 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDED9258-8DCF-4388-96B2-6E292074C4FE}\WpadDecisionTime = 00fd38c9e4a8da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-db-d7-5b-90-71\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-db-d7-5b-90-71\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDED9258-8DCF-4388-96B2-6E292074C4FE} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FDED9258-8DCF-4388-96B2-6E292074C4FE}\aa-db-d7-5b-90-71 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2988 wrote to memory of 1732 2988 rundll32.exe rundll32.exe PID 2988 wrote to memory of 1732 2988 rundll32.exe rundll32.exe PID 2988 wrote to memory of 1732 2988 rundll32.exe rundll32.exe PID 2988 wrote to memory of 1732 2988 rundll32.exe rundll32.exe PID 2988 wrote to memory of 1732 2988 rundll32.exe rundll32.exe PID 2988 wrote to memory of 1732 2988 rundll32.exe rundll32.exe PID 2988 wrote to memory of 1732 2988 rundll32.exe rundll32.exe PID 1732 wrote to memory of 2340 1732 rundll32.exe mssecsvc.exe PID 1732 wrote to memory of 2340 1732 rundll32.exe mssecsvc.exe PID 1732 wrote to memory of 2340 1732 rundll32.exe mssecsvc.exe PID 1732 wrote to memory of 2340 1732 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5331dcc2b7a9dc4c56dcaf9400024e18_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5331dcc2b7a9dc4c56dcaf9400024e18_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2340 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2560
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5fe9b5b75f3e267dcdfe1648fb681fa62
SHA1bbf80b2af90465b753ab4958fdddd2a116162a7a
SHA2569bdb3ccd8180ae06303d0c3e80e7032013506c47dc38bc629baf62d8cb3b4068
SHA512a11aea279099ebdec32be47a236057ce08b2ed9a3362c314ac85772a5de455875bb8efcc13a2b793e7412803871e8f4925dcfce25f4d2d008dacc429eee0c0d4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5ba20334dc03e894d28f68253d34ee54e
SHA15c527f1c1e7e9ebc48e954e69151f2663d252214
SHA256c2de58d868977ed4d840df15b6dcbf2da52c9fae35853318fd7d3d21919628a5
SHA512f077b606405432552d82d9e0674752e94042530ba1dacf1290cf856743e2393805b3575f8005227a2442ea1111002bf38cd1a50c07d21c9e6cdd20691a59a707