Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 23:23
Static task
static1
Behavioral task
behavioral1
Sample
5c050085a1d97d84dd083ffe5c16b997_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
5c050085a1d97d84dd083ffe5c16b997_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
5c050085a1d97d84dd083ffe5c16b997_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5c050085a1d97d84dd083ffe5c16b997
-
SHA1
46bac5bebecdd5844458e53360d89f5b22ad181f
-
SHA256
83c4acbb1e62f954e10aafea37f7836a584105232ffc50b6b0ba6f0763ec2a17
-
SHA512
b94be49e7ad09ff9fd56dfb5540439340d4b0fc8150ca01d87726d1bf0f2f632d560db5d2945bcd36cd59c27d1123280545d419a27150aeafb3cb9abba3fbde8
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcFIwFg:zbLgddQhfdmMSirYFIwF
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3308) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1952 mssecsvc.exe 2656 mssecsvc.exe 2744 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionTime = c07f80a243aada01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\52-a4-6c-d2-f4-72 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0026000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{BBA010D1-6925-4011-A9BE-2F3BBC9AB011}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecisionTime = c07f80a243aada01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a4-6c-d2-f4-72 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2284 wrote to memory of 2084 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2084 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2084 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2084 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2084 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2084 2284 rundll32.exe rundll32.exe PID 2284 wrote to memory of 2084 2284 rundll32.exe rundll32.exe PID 2084 wrote to memory of 1952 2084 rundll32.exe mssecsvc.exe PID 2084 wrote to memory of 1952 2084 rundll32.exe mssecsvc.exe PID 2084 wrote to memory of 1952 2084 rundll32.exe mssecsvc.exe PID 2084 wrote to memory of 1952 2084 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c050085a1d97d84dd083ffe5c16b997_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5c050085a1d97d84dd083ffe5c16b997_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1952 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2744
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e7c925d0f586c99459f9c5f893adbfd7
SHA17012330e0a36680ee9519a4aee6bee07e1ca58bd
SHA25692844da713b6f306acb5878e9aff5dce01c06b0da71d09657744831fb4cd8c4c
SHA512e46143f500dee1c4e10ae8bdda2cfeec01985b553debf20234c96fd33ad07907e7321e92e46ffb088f16e336bf67d54612b5a56be047a2ecf0fa3dc602569721
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53650c304c460b4f34c814c927085dcc6
SHA100c6dc1a4bed5c23ffafb3d920594a6715de142d
SHA2567736edf6e9a464c5bd0f216f6421ee2d383199a3945a0a0d2fdb070b7a6de90a
SHA512c4959107bdce40d5750e421e0e7f42383282e77476e570b246433bc8c370eb943bc5a58ab1dc4986cb1ff792ffa1df84df472ae6322628712a4bc9d12fbcb54b