Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 22:44
Static task
static1
Behavioral task
behavioral1
Sample
770c0416bf0a1f935a095a497d5caa38_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
770c0416bf0a1f935a095a497d5caa38_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
770c0416bf0a1f935a095a497d5caa38_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
770c0416bf0a1f935a095a497d5caa38
-
SHA1
f85bf851be59f0d2c9981edb3ca486f2072c5f04
-
SHA256
c93726fbc82f2bbc7a43dd4781f4663b94d0e68a73142001210853f43506d8ec
-
SHA512
bb6a44eff9122e88dd3e9dba5a2fe256bd255e142697346af16067a77c6abeaa42fa7e77bce4334c28e380a9b3996c3030044e446fde826c38563f80b99fa937
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P59Uc/:+DqPe1Cxcxk3ZAEUadv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3324) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2004 mssecsvc.exe 2304 mssecsvc.exe 2624 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f009b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadDecisionTime = f0cbe63abeafda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4F2FB857-DF5B-42AC-9ECD-434BB9D75853}\8e-65-03-b4-91-1c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c\WpadDecisionTime = f0cbe63abeafda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-65-03-b4-91-1c\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3016 wrote to memory of 1968 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 1968 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 1968 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 1968 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 1968 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 1968 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 1968 3016 rundll32.exe rundll32.exe PID 1968 wrote to memory of 2004 1968 rundll32.exe mssecsvc.exe PID 1968 wrote to memory of 2004 1968 rundll32.exe mssecsvc.exe PID 1968 wrote to memory of 2004 1968 rundll32.exe mssecsvc.exe PID 1968 wrote to memory of 2004 1968 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\770c0416bf0a1f935a095a497d5caa38_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\770c0416bf0a1f935a095a497d5caa38_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5d89bdc253276f1823c37dfaf382e54a1
SHA192eb670566efc212ed024c30ea2f10e1da13a66e
SHA256770b42a01d23f49f5551bd107a9540f48531da51ec8955db65578b50993ee897
SHA51236bae9442b4d6aabb97ed75d58ed3c8bcfdc5476626d172a6f9955a8833d0cb7d9f6fbd6fda3f72b28da5c9aa8995c4c2d05ba0cc710ccd9b5745a8265911e42
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD551131f50fafa06fe593cbdcbd01146ba
SHA1ed24d13f602d02b4826ee03d44d0a46ce631aeb9
SHA256819c54cd64cb359d09cc07b84970e255818244106a2f735b919e4b8121cfcbab
SHA512e76ad9eb3790349ac076feda04536ab8b2733a907d51dfd33f84b44b95469e4969bbd6c75eacb80f63cd4b4907a229d3074dc6cac381dd6e3ee290e689379cae