Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 08:43
Static task
static1
Behavioral task
behavioral1
Sample
716d0a6be236c224490d4fa616aa3fe9_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
716d0a6be236c224490d4fa616aa3fe9_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
716d0a6be236c224490d4fa616aa3fe9_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
716d0a6be236c224490d4fa616aa3fe9
-
SHA1
eb534cd61e9ebff420a90dddc335a61def4aa6d3
-
SHA256
4d0196b2f88499de79d6bd780669038b088ee5dd9669309456f1f5a5878ae2ea
-
SHA512
9228c742d8fd84cf3b1d138a5fdc73eae8be065bf53500f50746a7914b002f55db3d64484bbf888bb55cb197b7dc64e55c322c1e6053fa47bbf8a9600ac64913
-
SSDEEP
49152:znAQqMSPbcBVQM1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9:TDqPoBr1aRxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3333) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1228 mssecsvc.exe 2568 mssecsvc.exe 2884 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecisionTime = 1077dda97faeda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2}\fa-f4-8d-33-a9-5b mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\fa-f4-8d-33-a9-5b\WpadDecisionTime = 1077dda97faeda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{06F1BCE8-3665-491B-8ACF-CEE610212CB2} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2276 wrote to memory of 2096 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2096 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2096 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2096 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2096 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2096 2276 rundll32.exe rundll32.exe PID 2276 wrote to memory of 2096 2276 rundll32.exe rundll32.exe PID 2096 wrote to memory of 1228 2096 rundll32.exe mssecsvc.exe PID 2096 wrote to memory of 1228 2096 rundll32.exe mssecsvc.exe PID 2096 wrote to memory of 1228 2096 rundll32.exe mssecsvc.exe PID 2096 wrote to memory of 1228 2096 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\716d0a6be236c224490d4fa616aa3fe9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\716d0a6be236c224490d4fa616aa3fe9_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5207ebe9e0beee12107ca7cea1ffc48b2
SHA147d557e29969f0461ce00269264a15c0f92e58e8
SHA256a0f0a4886696aa5e74f4f0d36dcdf786b15bf0a697ecd0db57fa0eca37ef0a23
SHA512fa866f62e82037abb00bff5c4e063758780c050ef0f5df51b1d8ce945a91728aaf68c848a9b7f5351430e8879602dd09fc037d0d7f63b8f88bfb0e85b37d03b9
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5909cda282d1821fa501a421cab121c7f
SHA17fec6f0eec3f439c09e9311a695cab537014291f
SHA256f3418976e547a9455ea56dfe35ba0bc3aad9811830e2d0b1693241043d0695f1
SHA512b66b77afaa0f9906d0d40e28d2f6d07c8c9d7083626a7a1aafd31c428cb17a7dfee7b5f6a6aa02dcf7c4cfdb8612739273f83a14a27d27b9f525b63e46899cf2