Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 23:20
Static task
static1
Behavioral task
behavioral1
Sample
61465c15986aed38bf65441bf98c3648_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
61465c15986aed38bf65441bf98c3648_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
61465c15986aed38bf65441bf98c3648_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
61465c15986aed38bf65441bf98c3648
-
SHA1
063ad2bc8a7016d83f3754cb4f298d1392c64b88
-
SHA256
4f2295253243f67e9d4cae7499c51a7eeec879aa4b787f6e3ef47b45602b15d4
-
SHA512
827ba0bbc83c1fa3bac0092a95758ec8131fee2455bc96a2dd30e41f5a52482caecbea5f064f02c802ce77b2a6d810a27dbce77c5b4c822c7663f74cf0d4ce62
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAVAMEcaEau3R8yA:+DqPoBhz1aRxcSUDk36SAC593R8yA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3247) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2588 mssecsvc.exe 2908 mssecsvc.exe 2764 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A69448D8-17AD-442B-A3B1-F36838272CA0}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f005a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A69448D8-17AD-442B-A3B1-F36838272CA0} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A69448D8-17AD-442B-A3B1-F36838272CA0}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-75-a8-fb-31-e5 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-75-a8-fb-31-e5\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A69448D8-17AD-442B-A3B1-F36838272CA0}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A69448D8-17AD-442B-A3B1-F36838272CA0}\ee-75-a8-fb-31-e5 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-75-a8-fb-31-e5\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A69448D8-17AD-442B-A3B1-F36838272CA0}\WpadDecisionTime = e018775b0cabda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-75-a8-fb-31-e5\WpadDecisionTime = e018775b0cabda01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2984 wrote to memory of 2916 2984 rundll32.exe rundll32.exe PID 2984 wrote to memory of 2916 2984 rundll32.exe rundll32.exe PID 2984 wrote to memory of 2916 2984 rundll32.exe rundll32.exe PID 2984 wrote to memory of 2916 2984 rundll32.exe rundll32.exe PID 2984 wrote to memory of 2916 2984 rundll32.exe rundll32.exe PID 2984 wrote to memory of 2916 2984 rundll32.exe rundll32.exe PID 2984 wrote to memory of 2916 2984 rundll32.exe rundll32.exe PID 2916 wrote to memory of 2588 2916 rundll32.exe mssecsvc.exe PID 2916 wrote to memory of 2588 2916 rundll32.exe mssecsvc.exe PID 2916 wrote to memory of 2588 2916 rundll32.exe mssecsvc.exe PID 2916 wrote to memory of 2588 2916 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61465c15986aed38bf65441bf98c3648_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\61465c15986aed38bf65441bf98c3648_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2588 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2764
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5444e929c2a2e2a97edcdef0366166ce7
SHA1dda57fa54b57647b28f75ae1f79909d46f89dc5a
SHA256c8c741994708d0f885abc522d641c6bb32bb7b165456ed6b93878c1ec478aa32
SHA512d3395995c59700005559cb220c1cd140d5d615c90fc540082340331f3a096a7592c6ea3e106371b6fc9815b37cf5f0ee674df4efafac5507340b826fd542fdd3
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f18d289a378f3471a464ce5bf46ab1d6
SHA1c038949783e280f19417dc0fbf0d21d85c7190b2
SHA256d6340bc710447a62e57183f27f4f1f13c73803f7a6664509b8559e0358cad038
SHA51218107d6d62107857311f7c3646c1f28bc447c13cbd2f208cb56155af99bfad380a1c43380b42a652f236a9445adde8a6b35441a03fb97eaca173812e03f9f3cd