Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
18-05-2024 18:16
Static task
static1
Behavioral task
behavioral1
Sample
5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5621542b257455bf2ba19d23dfdf6bd3
-
SHA1
ea4919722b8be96a8a47912e1201a8489db1c785
-
SHA256
a91088e535cd46cede4684b5b01ab44ae587896515d46f561678e408ff190053
-
SHA512
db392c351a1c263dd74d021f33a1b1dca503a449fd156dcf4ea0460545e85573f7c39023f23235b2ee6e2396213b0a15122c1ec95eb2fc58fe098b350688a01f
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9g3R8yAVp2H:+DqPe1Cxcxk3ZAEUaQR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3228) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2084 mssecsvc.exe 2592 mssecsvc.exe 2732 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCC89E13-FF64-4DDF-B252-239FFBFF2306}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-5d-00-22-7a-6f mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCC89E13-FF64-4DDF-B252-239FFBFF2306}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCC89E13-FF64-4DDF-B252-239FFBFF2306}\WpadDecisionTime = 605d29804fa9da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCC89E13-FF64-4DDF-B252-239FFBFF2306}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-5d-00-22-7a-6f\WpadDecisionTime = 605d29804fa9da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCC89E13-FF64-4DDF-B252-239FFBFF2306} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BCC89E13-FF64-4DDF-B252-239FFBFF2306}\da-5d-00-22-7a-6f mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-5d-00-22-7a-6f\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-5d-00-22-7a-6f\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2236 wrote to memory of 2232 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2232 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2232 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2232 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2232 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2232 2236 rundll32.exe rundll32.exe PID 2236 wrote to memory of 2232 2236 rundll32.exe rundll32.exe PID 2232 wrote to memory of 2084 2232 rundll32.exe mssecsvc.exe PID 2232 wrote to memory of 2084 2232 rundll32.exe mssecsvc.exe PID 2232 wrote to memory of 2084 2232 rundll32.exe mssecsvc.exe PID 2232 wrote to memory of 2084 2232 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5621542b257455bf2ba19d23dfdf6bd3_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2084 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2732
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2592
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56551c8a27eec3b118704d99bc892daec
SHA1c8ed819ac33e1e575f56711bb1991c191fa683fa
SHA256f047d312431343223d175ce6ac990704726f5995febc3a4a62f716f8dc4ed016
SHA512aa3d151b43a477057ffeb0c38ebd9c959e97769dabb5ac7a81485da4f3a8bae0d79ab174bc42314a629a101f07bb812630421236a804136ee08ba77bfb784894
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5a1b0a61927bb5a5a0386fad639db7ff8
SHA1a6c328d2096e9e0832f6eb1029a0e432c373f3bf
SHA25674abc3f0879a0234bbddb17b84839c5a8d993bdd04a21ac5c6ffd2f035a07c7e
SHA512843ffb4403e53a9476f065bfa22fff023cf06a61bae76606f993f38755e12dd9d989fb38f0b1ea2cfec352e59a02a28332ad1bacc56e819dd7eb688a42c30d85