Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 12:45
Static task
static1
Behavioral task
behavioral1
Sample
54c48809de13c43efc75791debe5955c_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
54c48809de13c43efc75791debe5955c_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
54c48809de13c43efc75791debe5955c_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
54c48809de13c43efc75791debe5955c
-
SHA1
29fb15e99dd61101470cb837c06bbd15796e2969
-
SHA256
3e5c35fca4c6ab1655e58e7ba76aa2a250254009a256cdaf4c5964b112f46287
-
SHA512
51d3ca0f14ca9a1722713010e22d1e5e5a18790cbb5832366e6498e5570b734c290d21fd3d62ec23292e8e18f17cf56efcef3ccf231ad2d2c63d02d7af2c76a4
-
SSDEEP
98304:+DqPoBhz1aRxcSUDkvEdhvxWa9P593R8yAVp2H:+DqPe1CxcxkvEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3318) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2800 mssecsvc.exe 2620 mssecsvc.exe 2676 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0129000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0}\86-f5-5c-3c-58-cb mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-f5-5c-3c-58-cb\WpadDecisionTime = e069825521a9da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0}\WpadDecisionTime = e069825521a9da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{68E32004-5BEC-4518-8DDA-ED862D5244D0}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-f5-5c-3c-58-cb mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-f5-5c-3c-58-cb\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\86-f5-5c-3c-58-cb\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2132 2916 rundll32.exe rundll32.exe PID 2132 wrote to memory of 2800 2132 rundll32.exe mssecsvc.exe PID 2132 wrote to memory of 2800 2132 rundll32.exe mssecsvc.exe PID 2132 wrote to memory of 2800 2132 rundll32.exe mssecsvc.exe PID 2132 wrote to memory of 2800 2132 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54c48809de13c43efc75791debe5955c_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\54c48809de13c43efc75791debe5955c_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2800 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2676
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2620
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e8de8210a18474609a2c1cb8d3478e8e
SHA10ca4c288766ffe7d781eb614dfa0749d83309119
SHA2561421834d975473ef9e32bc6a0f3390b85eb2ad94394862f2ecbcc0afa902de9e
SHA51268d2f2eeb9902616e33c4355ef4fcdc90e3dda692cb1c0b81259dae4401ac66bbd52865222731ce3557f27c1862f30eb4546023e349347e8ee01dff62be8bfdd
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b2f70a339fff3f13cc4f4689f5c6f0fb
SHA14a3a2fa748cdb3e848ad2b86d39fcc3422363d93
SHA256005b069f3c712cb6df1bbe0e6301266c71e40634816bf7fe292f137785f81ec3
SHA51246de40699aeae6afbc4a11de30b3dea3d2ca78c76ceff19ad401729b204970e85909430cb099603fdc50d545b1c2c73fc66d43214a47f505db6cee96f53f4382