Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 20:32
Static task
static1
Behavioral task
behavioral1
Sample
76bf799125bf9e674fe7a835051a8854_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
76bf799125bf9e674fe7a835051a8854_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
76bf799125bf9e674fe7a835051a8854_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
76bf799125bf9e674fe7a835051a8854
-
SHA1
6d8b621d6c44ef6275067e68a7b20bfd06f73c74
-
SHA256
ac21c16db4a441304d1cfbfe0938fe936be0fa020e2b50b1583f3fb74e4210ff
-
SHA512
5f8207f12554a583980de757a36b4275b6dd7313a7152976e75badee5a4e320288effd81165d403a89e30b7814685fc8a6c05858deeb3ed4256236f119a5edb9
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9Pyd:+DqPe1Cxcxk3ZAEUady
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3324) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3032 mssecsvc.exe 1232 mssecsvc.exe 2884 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}\WpadDecisionTime = 705bdae0abafda01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-a9-87-57-0d-80 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}\ea-a9-87-57-0d-80 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DE17A2EB-9739-420C-8338-6D8E3757EBA3}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-a9-87-57-0d-80\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-a9-87-57-0d-80\WpadDecisionTime = 705bdae0abafda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-a9-87-57-0d-80\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0058000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2932 wrote to memory of 3016 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 3016 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 3016 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 3016 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 3016 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 3016 2932 rundll32.exe rundll32.exe PID 2932 wrote to memory of 3016 2932 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3032 3016 rundll32.exe mssecsvc.exe PID 3016 wrote to memory of 3032 3016 rundll32.exe mssecsvc.exe PID 3016 wrote to memory of 3032 3016 rundll32.exe mssecsvc.exe PID 3016 wrote to memory of 3032 3016 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76bf799125bf9e674fe7a835051a8854_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\76bf799125bf9e674fe7a835051a8854_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD50b3f724a10ff9a534caab70ca0fea58f
SHA124baf1a554184043e4618ac3078df85886188b99
SHA256009c3445235c4996b323047480d4a760b9f2f8512bc53f6c78be5a182ff5d13f
SHA5125c82e5dfd2d80730d390f11382d5d50c4ce665e798710d790fbe757f8571a3ef1cc7d02e8a662784a38c2fec640ffabbbeb5801dacf0cb7a93005fcbfac05714
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5408e5a75158bfb6c261a52448b5be191
SHA1e6981e6160d0b1597f5d340d07ec37b680231faf
SHA2569541a1871a0621e1d1708e8ea24f1040e5f221bcae37b65e0863fc51c27176e5
SHA5127b284eecd0ceec3c58b85dc5c70e0787a3979041a4734ddf575fa63d27dcadb95ccd2121bb2993fbc58e2319e05be5e4ecc9e1f1d7bbaa2f4d9dd4859f75348c