Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 05:05
Static task
static1
Behavioral task
behavioral1
Sample
58af0714731eac2a433d683ea673378a_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
58af0714731eac2a433d683ea673378a_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
58af0714731eac2a433d683ea673378a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
58af0714731eac2a433d683ea673378a
-
SHA1
01958036854f3f55716971d09d8809c380d4ba8e
-
SHA256
41a83dd328f86adcaa3c24ea9ca0f3f8254ebff3bf143ae050c43f1eec77bea7
-
SHA512
a96afe040d8add23aa13d4f949b3dd206ece6c062ef1fc711ac360a6c9c31cebb240aeb362cce4c7a38e782f7cff713bc905eca6ed95e5beaa0279520cbb2992
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjGvk+RdhAdmv1LJMfcH9PO6L:SnAQqMSPbcBVQejPRdhnvxJM0H9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2919) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2436 mssecsvc.exe 2696 mssecsvc.exe 2740 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0031000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9A29B2ED-1562-4373-9DEC-E6F33554AD41}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-13-bd-1f-4c-7f mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-13-bd-1f-4c-7f\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9A29B2ED-1562-4373-9DEC-E6F33554AD41}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9A29B2ED-1562-4373-9DEC-E6F33554AD41}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9A29B2ED-1562-4373-9DEC-E6F33554AD41} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9A29B2ED-1562-4373-9DEC-E6F33554AD41}\WpadDecisionTime = 10a94d41aaa9da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9A29B2ED-1562-4373-9DEC-E6F33554AD41}\7e-13-bd-1f-4c-7f mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-13-bd-1f-4c-7f\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-13-bd-1f-4c-7f\WpadDecisionTime = 10a94d41aaa9da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1988 wrote to memory of 2668 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2668 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2668 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2668 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2668 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2668 1988 rundll32.exe rundll32.exe PID 1988 wrote to memory of 2668 1988 rundll32.exe rundll32.exe PID 2668 wrote to memory of 2436 2668 rundll32.exe mssecsvc.exe PID 2668 wrote to memory of 2436 2668 rundll32.exe mssecsvc.exe PID 2668 wrote to memory of 2436 2668 rundll32.exe mssecsvc.exe PID 2668 wrote to memory of 2436 2668 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\58af0714731eac2a433d683ea673378a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\58af0714731eac2a433d683ea673378a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5e6491d1e0a1f4922c34749ed8a5758bc
SHA194726f4af6cf955da96b5888df5605adcefb6aa3
SHA2565ef98abc329cca92d972cc9d7fef49bd762f07631b8f3bb0183df4bfb3ef57ec
SHA5126beee0559bf6e8a61fa14bf1ada2d8e69ea1dafc8e427ebfea6283130cd09ac4829fe044eead7faaea6890e36c14943aabb4c91453a4c1b0ddf7699254feb12a
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD55deb876be3170add4404bb31f0804fd4
SHA11efd4ca4c0ce81e8c91aaed9488331add0564b11
SHA2565ce4b39b9488fae92e80f3b16f04f5a793da55af1e617fd83747b2ced32efcb1
SHA512102256e3b59d08db64d240d969498ab1b55e092953ffee0e2ad1ea5554f7676eee620bf99f991040e8895eed93883a05beb70e4531fb6ec85f63dd7845b6691b