Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 05:57
Static task
static1
Behavioral task
behavioral1
Sample
7fb655b896152fa426d3a96cbadb5614_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7fb655b896152fa426d3a96cbadb5614_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
7fb655b896152fa426d3a96cbadb5614_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7fb655b896152fa426d3a96cbadb5614
-
SHA1
8dfcae6ae3ad6e492424be0e012310e77ab67f26
-
SHA256
5de6e0b877d6b134dfbb7acd502bfbc5aa6b37f888e6a845e0ee3fe83f66152e
-
SHA512
723d320fae808dd1f4a676bd5ddccde9c4f769df4bd625dc9e8224ec794368a07bd146b80a251b091f52390d8236487f288ef746ace389573963b8140a7d80ce
-
SSDEEP
49152:znAQqMSPbcBVQej/8nvxJM0H9PAMEcaEau3R8yAH1plAH:TDqPoBhz8vxWa9P593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3304) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2816 mssecsvc.exe 2548 mssecsvc.exe 2568 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-3b-bb-11-98-3e\WpadDecisionTime = 00cc19228db1da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5FD75FEB-6BA3-4D54-82F0-9E3050919D56}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5FD75FEB-6BA3-4D54-82F0-9E3050919D56}\WpadDecisionTime = 00cc19228db1da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5FD75FEB-6BA3-4D54-82F0-9E3050919D56}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5FD75FEB-6BA3-4D54-82F0-9E3050919D56}\3a-3b-bb-11-98-3e mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-3b-bb-11-98-3e\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5FD75FEB-6BA3-4D54-82F0-9E3050919D56} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-3b-bb-11-98-3e mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-3b-bb-11-98-3e\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0077000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5FD75FEB-6BA3-4D54-82F0-9E3050919D56}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2752 wrote to memory of 2804 2752 rundll32.exe rundll32.exe PID 2752 wrote to memory of 2804 2752 rundll32.exe rundll32.exe PID 2752 wrote to memory of 2804 2752 rundll32.exe rundll32.exe PID 2752 wrote to memory of 2804 2752 rundll32.exe rundll32.exe PID 2752 wrote to memory of 2804 2752 rundll32.exe rundll32.exe PID 2752 wrote to memory of 2804 2752 rundll32.exe rundll32.exe PID 2752 wrote to memory of 2804 2752 rundll32.exe rundll32.exe PID 2804 wrote to memory of 2816 2804 rundll32.exe mssecsvc.exe PID 2804 wrote to memory of 2816 2804 rundll32.exe mssecsvc.exe PID 2804 wrote to memory of 2816 2804 rundll32.exe mssecsvc.exe PID 2804 wrote to memory of 2816 2804 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fb655b896152fa426d3a96cbadb5614_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7fb655b896152fa426d3a96cbadb5614_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2816 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2568
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5404bf3a96cd7ff19664bd44efc3a62db
SHA14318cc610774b885eb77b9372e35505fba322aba
SHA25680fed1a9e5eba6b0931d7730ab5a49c84200eb51f73256164b0b54ee57d1c023
SHA512a5d6c4ebbba8a5d307f70f4525f57475adf991dfccd7475c154cae7f0d8e38af50ac62381d84a9792a2ca9a155c0f7ec0f9bbf82f16f938effd7aa0b05acff06
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5458e29dafc7851f3075f8a5e98651150
SHA12e0e3241755de43365c7b19a6bc151f92943ade2
SHA256e9a01a23a1b21f9d9526161f56c2b6d98f04262c6f6af755a60616edc536f14b
SHA512dfa1aa334c495faf15cb52c483256451a72c1bd636b9fb5ffe5f92d83cf2e4357e9299913ebb5e8edfb9fa99e4b62513238b08ab8261a436a851e4fcea0e148d