Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 02:58
Static task
static1
Behavioral task
behavioral1
Sample
7f49197d5c24d409c7788733d9a6691d_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
7f49197d5c24d409c7788733d9a6691d_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
7f49197d5c24d409c7788733d9a6691d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7f49197d5c24d409c7788733d9a6691d
-
SHA1
385542727cb1c053e4bf0bcc7df3eac6d7676de3
-
SHA256
672a2ff15bf6db8941c0318d572289a03224f6d3670ec8d9d89761c97f5672f0
-
SHA512
41ea340fa7e3dc9a4f0bf52a5f3a43bb5129725362848c838296d774abb6074fb6b367c2e2bbdc9e3f2390f2accb943a594546203e1ce0c5a59c2365422b5f25
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P59Uc/:+DqPe1Cxcxk3ZAEUadv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3251) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2220 mssecsvc.exe 2596 mssecsvc.exe 2756 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-37-05-af-96-7d\WpadDecisionTime = a019f40e74b1da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-37-05-af-96-7d\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08}\WpadDecisionTime = a019f40e74b1da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-37-05-af-96-7d mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08}\0e-37-05-af-96-7d mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0061000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0B5DEEC5-0FD5-4419-86C2-4339D59D2C08}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\0e-37-05-af-96-7d\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2204 wrote to memory of 2184 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2184 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2184 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2184 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2184 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2184 2204 rundll32.exe rundll32.exe PID 2204 wrote to memory of 2184 2204 rundll32.exe rundll32.exe PID 2184 wrote to memory of 2220 2184 rundll32.exe mssecsvc.exe PID 2184 wrote to memory of 2220 2184 rundll32.exe mssecsvc.exe PID 2184 wrote to memory of 2220 2184 rundll32.exe mssecsvc.exe PID 2184 wrote to memory of 2220 2184 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f49197d5c24d409c7788733d9a6691d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7f49197d5c24d409c7788733d9a6691d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2220 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2756
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2596
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54c191ceedf068722262c9017c403ab7f
SHA1b3abf0e6b5028d78b8690553b89ce1187ce04e38
SHA256334852c16dc9068402ef1b5769eb2d162c964fb2fda08a41f6059b045a73167a
SHA512434b0ae00c392a364f49d3f9e49d729355385798e9c7c1bd68259097348c3fbeab2951eed066fa5444e8bedd371c879ae89a1b93c490e9392ca8514509d1a939
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD503ab7e15db3770aca81bf40984996596
SHA1518e2b1cd65da706537151ed63601b6a03179762
SHA256a18fd9a0cd29de9728d47d9462fa45f42fee5059e51524c6041c29df349ea42a
SHA51277a2016550381d60bad0dcd36a04bbcb794cf48074c8c871708ed8fd074a17d5ecb2ffc552a8c255055de492a0b1fb9999686e8aa8fe8758a3e6dd5c7ba46381