Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 22:18
Static task
static1
Behavioral task
behavioral1
Sample
7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7e98a145a032013ca69b2cbf30cf5f84
-
SHA1
c955b774132b69cd7f38033827b4f9cb98666898
-
SHA256
0fcd53a40125addbfa3bf3f66379fa5b0bee5019c4680940e04fdb8714202059
-
SHA512
973a057545bc3d2caca6ace592e39aeda04a4184fac3bd1c00f385a64301f6b2e95a376cdf39c4bcf9d15348c993d856914699a1e087dfd6708bc60de7e191c1
-
SSDEEP
98304:TDqPoBi1aRxcSUDk36SAr593R8yAVp2H:TDqPZ1Cxcxk3ZArzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3184) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2936 mssecsvc.exe 2088 mssecsvc.exe 2644 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-e2-16-35-f6-aa\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB725DB1-8CC4-4045-A80B-83B75B51D0DF}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB725DB1-8CC4-4045-A80B-83B75B51D0DF}\WpadDecisionTime = a0ffb6fb4cb1da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB725DB1-8CC4-4045-A80B-83B75B51D0DF}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB725DB1-8CC4-4045-A80B-83B75B51D0DF}\a2-e2-16-35-f6-aa mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB725DB1-8CC4-4045-A80B-83B75B51D0DF} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB725DB1-8CC4-4045-A80B-83B75B51D0DF}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-e2-16-35-f6-aa mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-e2-16-35-f6-aa\WpadDecisionTime = a0ffb6fb4cb1da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-e2-16-35-f6-aa\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2880 wrote to memory of 2368 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2368 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2368 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2368 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2368 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2368 2880 rundll32.exe rundll32.exe PID 2880 wrote to memory of 2368 2880 rundll32.exe rundll32.exe PID 2368 wrote to memory of 2936 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 2936 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 2936 2368 rundll32.exe mssecsvc.exe PID 2368 wrote to memory of 2936 2368 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e98a145a032013ca69b2cbf30cf5f84_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2936 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2644
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD573f711dce0872d39ac4e7db8b9ca619c
SHA11ae464308025a7d376e4a20165eb02c2cae39c83
SHA256f175fabaf90c262721a9882019b84fc9aa3f8bfee67fb176bf8448b76b9e1522
SHA5121a51b4de8f3fcac1ad4d9b8816d448dbc971545d89658817bc7eabe6b9a362ebd570124894cadf570b2fe99caa2f2d75ac91c231e76a6693ba3c4963246bf4ea
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5fdee266283e705423f807589fb25dddc
SHA1d5c05e0286323fedbe8b0e4b5043dccf7450dc80
SHA25684395daa0e949e60a22310b591effbbb5787fe69428513445fa395726ab0f61c
SHA512487a3f4bcfd4e77cf449e54581bbe06a457380a8ee818b8d20ccaa7359e254d00932bf4a2c6dac2c06745f7eebbf58ec4360c1af5a2fac769f84a6f4b273117a