Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 23:26
Static task
static1
Behavioral task
behavioral1
Sample
7399cd7ebd2ed59f60e672b59fe24b1e_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7399cd7ebd2ed59f60e672b59fe24b1e_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
7399cd7ebd2ed59f60e672b59fe24b1e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7399cd7ebd2ed59f60e672b59fe24b1e
-
SHA1
2d0c72260f7ddd8834b297b3924ec0c840fd0893
-
SHA256
01e0a9e78f32164f518ac8195f1f59012e2e9c7050181506ca594546b4be3fa1
-
SHA512
7056b42887555fd92322f2f4b9e48dcbe60205247d28c639bc1c6491c6b181b982d1e4e17f1971a587ed2850fd3293785eab5e2f02d37e6a3f118cf3b9315e47
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P59:TDqPe1Cxcxk3ZAEUad
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3325) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1812 mssecsvc.exe 2260 mssecsvc.exe 2672 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B858B10-E090-44C0-8173-6A979A1DA93F}\WpadDecisionTime = 10180402fbaeda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-24-0f-a9-df-c2 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-24-0f-a9-df-c2\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-24-0f-a9-df-c2\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B858B10-E090-44C0-8173-6A979A1DA93F}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B858B10-E090-44C0-8173-6A979A1DA93F}\5a-24-0f-a9-df-c2 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-24-0f-a9-df-c2\WpadDecisionTime = 10180402fbaeda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B858B10-E090-44C0-8173-6A979A1DA93F} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B858B10-E090-44C0-8173-6A979A1DA93F}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B858B10-E090-44C0-8173-6A979A1DA93F}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2168 wrote to memory of 2044 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2044 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2044 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2044 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2044 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2044 2168 rundll32.exe rundll32.exe PID 2168 wrote to memory of 2044 2168 rundll32.exe rundll32.exe PID 2044 wrote to memory of 1812 2044 rundll32.exe mssecsvc.exe PID 2044 wrote to memory of 1812 2044 rundll32.exe mssecsvc.exe PID 2044 wrote to memory of 1812 2044 rundll32.exe mssecsvc.exe PID 2044 wrote to memory of 1812 2044 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7399cd7ebd2ed59f60e672b59fe24b1e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7399cd7ebd2ed59f60e672b59fe24b1e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD51b15e08a5a18357ba188888f53aeed01
SHA1862514337374a54d26e86f1df39a0800c5cd84f6
SHA25674313cfbc7ed6dd96a4e71257668cabc537081cea5291d71200b26b146e2c247
SHA512ca413d0ed266ac3e5fc27020dd2a200549a101fe5f8cd937353bdf61775335865dd972a8932b2d5fc1f8dd3446d39b6551f17d33d96060a261908cad0505bafe
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5491cbf257f5a5480598928b92700b29e
SHA11d6d79f23d2a3675cbb4b2202e819a7930494212
SHA256bb8f6f081677fc409d2d8b4701f2567e61e5892f27fdd04bc0106cf44561d1c9
SHA512fc516169f29c9aa21cc6e594afe29517c7de979feafa862b21609bf0b8ba549067605d915054e07616cc5e408f7d6193a16aca0fe047bf0f7f825b8fd1099642