Resubmissions
18-05-2024 08:15
240518-j5t3lsbc4v 1018-05-2024 07:00
240518-hstqmsgg9w 1018-05-2024 06:28
240518-g8smvafg7y 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 06:28
Static task
static1
Behavioral task
behavioral1
Sample
53606881d4f8b4934c5ade1947e88bc9_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
53606881d4f8b4934c5ade1947e88bc9_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
53606881d4f8b4934c5ade1947e88bc9_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
53606881d4f8b4934c5ade1947e88bc9
-
SHA1
5588e92d9be1ced63f3f9c6514a1a4a0ed90995e
-
SHA256
554f9a45ff13004de1e16fab4be1e467374f940a963cc9ce65d2906f0c54857a
-
SHA512
d431c39be859d8ce73c2e12a5cbf6d538540fdb9811b85cc65fde9bb2e3336ab3af5e80f6cf77c10a768e3f45cc8b699980f9a04bb909c3238be5d0ad853948e
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9yLGp2H:+DqPe1Cxcxk3ZAEUaYS4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2052 mssecsvc.exe 2528 mssecsvc.exe 2516 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B}\WpadDecisionTime = 805684abeca8da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-64-5f-e0-ef-60 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B}\4e-64-5f-e0-ef-60 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1667C4C5-2195-4321-B2B1-D0DFAF127C5B}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-64-5f-e0-ef-60\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-64-5f-e0-ef-60\WpadDecisionTime = 805684abeca8da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4e-64-5f-e0-ef-60\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2224 wrote to memory of 1900 2224 rundll32.exe rundll32.exe PID 2224 wrote to memory of 1900 2224 rundll32.exe rundll32.exe PID 2224 wrote to memory of 1900 2224 rundll32.exe rundll32.exe PID 2224 wrote to memory of 1900 2224 rundll32.exe rundll32.exe PID 2224 wrote to memory of 1900 2224 rundll32.exe rundll32.exe PID 2224 wrote to memory of 1900 2224 rundll32.exe rundll32.exe PID 2224 wrote to memory of 1900 2224 rundll32.exe rundll32.exe PID 1900 wrote to memory of 2052 1900 rundll32.exe mssecsvc.exe PID 1900 wrote to memory of 2052 1900 rundll32.exe mssecsvc.exe PID 1900 wrote to memory of 2052 1900 rundll32.exe mssecsvc.exe PID 1900 wrote to memory of 2052 1900 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53606881d4f8b4934c5ade1947e88bc9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\53606881d4f8b4934c5ade1947e88bc9_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2052 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2516
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2528
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD573d70a80e0c6e1e48ea11b3d8a8a1751
SHA1324859b5d9375d54f04f71ca57f6b40da225698b
SHA2566c625b9cc9f1b30cfd2353788bb6c602f06f5367335e7ca08ddbd3a8a9367cd8
SHA51274836df0c9c76fdafe7bd88064d36d3755db1362e20e54f905597a7886ac6d552659aadf2bb5358913ce08e5d983f46b32f442169f00746f2d29160f59e667f1
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c78dc18cb700bf44bda65f0c034d5ba0
SHA1f31459a361538232d6bb782242288cb731641acf
SHA2567e5dfaf660b26409f5359a6ca7b7ffe682c6d9c9b5a74fa889974291e933ae0b
SHA512e1e5c95bc66c13949b871c06bf40cc82793b9a4dd570212f336101742c7994aa5cc559e33fea1425a395207d0d82df6bc155db773a178c5b3afb94df54ad79d4