Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
20-05-2024 04:01
Static task
static1
Behavioral task
behavioral1
Sample
5d14531026b8490cbc359238ba824dfa_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
5d14531026b8490cbc359238ba824dfa_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
5d14531026b8490cbc359238ba824dfa_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
5d14531026b8490cbc359238ba824dfa
-
SHA1
24fdf3e92f949f26cdcc4072874c6270e49ee1e8
-
SHA256
7a3ed2b72925bb270b6fc6e7e35953dc12e51ec52942460b5b5a1230dd017934
-
SHA512
017b5a8d8b6c369886589bff17705c283b6c37bbd08a7d818ef4ccff7380e8f953b3b9ce1a6251f295501258b64173c6d113ce180a8d833d4b7d988dd48cc5fe
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQ43R8yAH1plAH:+DqPoBhz1aRxcSUDkz3R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3330) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2128 mssecsvc.exe 2132 mssecsvc.exe 2716 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-d5-5b-c8-96-7e\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7109D19-33EB-4414-85B6-F15CABCADD96}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-d5-5b-c8-96-7e\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f013a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7109D19-33EB-4414-85B6-F15CABCADD96}\WpadDecisionTime = 5054f2686aaada01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-d5-5b-c8-96-7e mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0a-d5-5b-c8-96-7e\WpadDecisionTime = 5054f2686aaada01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7109D19-33EB-4414-85B6-F15CABCADD96} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7109D19-33EB-4414-85B6-F15CABCADD96}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7109D19-33EB-4414-85B6-F15CABCADD96}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E7109D19-33EB-4414-85B6-F15CABCADD96}\0a-d5-5b-c8-96-7e mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2372 wrote to memory of 1660 2372 rundll32.exe rundll32.exe PID 2372 wrote to memory of 1660 2372 rundll32.exe rundll32.exe PID 2372 wrote to memory of 1660 2372 rundll32.exe rundll32.exe PID 2372 wrote to memory of 1660 2372 rundll32.exe rundll32.exe PID 2372 wrote to memory of 1660 2372 rundll32.exe rundll32.exe PID 2372 wrote to memory of 1660 2372 rundll32.exe rundll32.exe PID 2372 wrote to memory of 1660 2372 rundll32.exe rundll32.exe PID 1660 wrote to memory of 2128 1660 rundll32.exe mssecsvc.exe PID 1660 wrote to memory of 2128 1660 rundll32.exe mssecsvc.exe PID 1660 wrote to memory of 2128 1660 rundll32.exe mssecsvc.exe PID 1660 wrote to memory of 2128 1660 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d14531026b8490cbc359238ba824dfa_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\5d14531026b8490cbc359238ba824dfa_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2128 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2716
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2132
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f15f9a2b69b17fad2d08438c1962dc3f
SHA1530d70ec9ee74f4d5020c48bed7c5af271a7cea2
SHA2567b2a82db208fb9721779b5d73b0910400367a97877ea03dc59fe04c6eb76ecde
SHA5121c2f4d1511bf80d660fb5902e2f5f42fd82b5ccf1214f1ba83b7ec1aec15e1afcfc3ab9e3935f82c3c146cf24cdefa63c308a4f59cbd24bf58b5d42679be38c8
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD523b2a05fb0e2bc41386fe290248ab538
SHA10c73894417c4fed3ba1288f24b52fca954d256bf
SHA256b9d207f4c8502a8dfd1cc4b3114639d24eecb955baba2bf4340af2a506b86310
SHA512c2be1057ccf59567e1b4fc6d4b207ea396f93c8e9d8d5ced29a1097f18892c6551972f34f984eabad1506c51f9eac08203b7717b1fd77d613e6122e04b0a51e4