Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 20:03
Static task
static1
Behavioral task
behavioral1
Sample
6fafd1f7b3289ede91714a119c02a386_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6fafd1f7b3289ede91714a119c02a386_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
6fafd1f7b3289ede91714a119c02a386_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
6fafd1f7b3289ede91714a119c02a386
-
SHA1
61adc5243ac6caa38c7f440128dbc79cff910124
-
SHA256
4480e10e9512610c2f107b6ec9b2eca9942cf2bc65548ae35d6b015573359093
-
SHA512
f21dc56ee45775fd0de36cfd668a8d70093106834c182b260479941f34ca944ddd8477f85fe8f4f8f740d4fb2960e884544c49d498843fd539d40a22bc039616
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp28:TDqPe1Cxcxk3ZAEUadzR8yc48
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3192) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1684 mssecsvc.exe 1612 mssecsvc.exe 1956 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721}\WpadDecisionTime = 3091957c15aeda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-1c-77-23-85-b9 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0089000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721}\be-1c-77-23-85-b9 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-1c-77-23-85-b9\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-1c-77-23-85-b9\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{393578DA-4BD2-4131-B9A6-26075EF3E721}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-1c-77-23-85-b9\WpadDecisionTime = 3091957c15aeda01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2228 wrote to memory of 1776 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 1776 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 1776 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 1776 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 1776 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 1776 2228 rundll32.exe rundll32.exe PID 2228 wrote to memory of 1776 2228 rundll32.exe rundll32.exe PID 1776 wrote to memory of 1684 1776 rundll32.exe mssecsvc.exe PID 1776 wrote to memory of 1684 1776 rundll32.exe mssecsvc.exe PID 1776 wrote to memory of 1684 1776 rundll32.exe mssecsvc.exe PID 1776 wrote to memory of 1684 1776 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6fafd1f7b3289ede91714a119c02a386_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\6fafd1f7b3289ede91714a119c02a386_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5136e5884c73567c49695336e3ceb544d
SHA1f0fc9616a21407a8de6bb97de0674017900b7852
SHA25608637c6f888ec702cab6e4b64c57dc8c56106984ae78df70c22847c9541f05b6
SHA51200400859e00a6d86930982bf89f2b5243865c005712a718483e7cfda7dfb8cf0ffdc0366172542517143a8ee26f6e7972d52e90d5a81797f6914dc82a1b0472f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD517b602dc41383bd5798a147865141803
SHA1eec93c6381bb53ad42129b303c2ab28003ec0df4
SHA2566420258d2431ef363eff16c6eff8557263c0e11a3a80f416655174bd51ab27b5
SHA512947c1e0e98dd1ccc8995543e1178787b09feb1e13ff067e6caa60327224e6674c778bec0049599106724a14e9d3ae25a774a29e1823ccf81285c7191400f0873