Resubmissions
28-05-2024 20:22
240528-y5vrgaag9x 728-05-2024 20:21
240528-y5eegsag7y 728-05-2024 20:15
240528-y13arabg59 10Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 20:15
Static task
static1
Behavioral task
behavioral1
Sample
7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7e42b85a3c28e4d3fd1928efbb1b1716
-
SHA1
5b9550a8987cf92b4cef087122199c716b39a7d5
-
SHA256
824eb4ff3cf95ff179fff5e2f0f1cf01db9a4c70e0106177f40492310aa8d1f5
-
SHA512
2dbbb1b1d48a9c3133a9a97394820ddf5a96a0dc7b75de6d70cc19e544a5add1b295c7b4eaae13fbe9dba848ef4b977c37d3a93e92084866fdbbe7bc5d000912
-
SSDEEP
98304:+DqPoBhzLk36SAEdhvxWa9P593R8yAVp2H:+DqPeLk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3280) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1592 mssecsvc.exe 2524 mssecsvc.exe 2648 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29947020-DD99-451C-A326-17BB1E8CECED} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-38-87-8e-5e-78 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29947020-DD99-451C-A326-17BB1E8CECED}\3e-38-87-8e-5e-78 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-38-87-8e-5e-78\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-38-87-8e-5e-78\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29947020-DD99-451C-A326-17BB1E8CECED}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29947020-DD99-451C-A326-17BB1E8CECED}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-38-87-8e-5e-78\WpadDecisionTime = 806febdd3bb1da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29947020-DD99-451C-A326-17BB1E8CECED}\WpadDecisionTime = 806febdd3bb1da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{29947020-DD99-451C-A326-17BB1E8CECED}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2172 wrote to memory of 2200 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 2200 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 2200 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 2200 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 2200 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 2200 2172 rundll32.exe rundll32.exe PID 2172 wrote to memory of 2200 2172 rundll32.exe rundll32.exe PID 2200 wrote to memory of 1592 2200 rundll32.exe mssecsvc.exe PID 2200 wrote to memory of 1592 2200 rundll32.exe mssecsvc.exe PID 2200 wrote to memory of 1592 2200 rundll32.exe mssecsvc.exe PID 2200 wrote to memory of 1592 2200 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7e42b85a3c28e4d3fd1928efbb1b1716_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1592 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2648
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5b8fb46d2a1f577db36856c3277f76976
SHA188cccd52b450ce1e4abdd01674aa9c075c80d561
SHA25625010e5504c35ed06b313a98f1726352fec33d7c4e6908214867b28e149edb09
SHA51236e958c71ae9f42227f7f30268e87dccb7f3533e4871bc08899b5310effe0d12db4277940e090e60f0818405a2cde879d32920125b51b7edbbf949f48f84799c
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD583f5fbd4c245bf1df5a102a08eafaab3
SHA148fea8659fba1b02feb2d4261eb5aef88d13b4a5
SHA256b1b14b619d2757ead3c0490c776dfadb59fbda8b6a379e24c29ea0826d04978e
SHA51278cfe4a08f937be15490478e78c4cf8978b5f2847aa2f31a66ad47704afea06c968fe135c505d07021196e2e08abfd82789a0e0b991dbda06528ab1051afbb2c