Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 07:41
Static task
static1
Behavioral task
behavioral1
Sample
7ff896ee88282ff5ff92801df4cbc9af_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
7ff896ee88282ff5ff92801df4cbc9af_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
7ff896ee88282ff5ff92801df4cbc9af_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7ff896ee88282ff5ff92801df4cbc9af
-
SHA1
e3615ebca56dd130206a1e3e599bf7ad3daa812d
-
SHA256
4a25b0b979bebeee43eaf893255d4eb251c615a2c59c31d463304d1028bdc788
-
SHA512
b15e05ea69740f244379d07c55c5a659780dbb93e9636b90846347dfbac5b45abf5bbd246fa0dbef5d05166e4bea15b95fa4c3810457b64b80d3a672d7cd8e82
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593:TDqPe1Cxcxk3ZAEUadz
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3205) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1668 mssecsvc.exe 2864 mssecsvc.exe 2456 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-d1-6a-f7-7f-ab mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\ba-d1-6a-f7-7f-ab mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-d1-6a-f7-7f-ab\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\WpadDecisionTime = d02a88949bb1da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-d1-6a-f7-7f-ab\WpadDecisionTime = d02a88949bb1da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ba-d1-6a-f7-7f-ab\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6AC2B0E-7BB3-47DC-935F-2A2CB0D7AEFB}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1760 wrote to memory of 2604 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 2604 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 2604 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 2604 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 2604 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 2604 1760 rundll32.exe rundll32.exe PID 1760 wrote to memory of 2604 1760 rundll32.exe rundll32.exe PID 2604 wrote to memory of 1668 2604 rundll32.exe mssecsvc.exe PID 2604 wrote to memory of 1668 2604 rundll32.exe mssecsvc.exe PID 2604 wrote to memory of 1668 2604 rundll32.exe mssecsvc.exe PID 2604 wrote to memory of 1668 2604 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ff896ee88282ff5ff92801df4cbc9af_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7ff896ee88282ff5ff92801df4cbc9af_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1668 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2456
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD544e30ae945a1aa0a5c643d7b8cf2a3ae
SHA1ea5d8b7d6b12ad9dbc28797866b82b26095f8964
SHA2568a5e2eac0bae219a6a8ce01e28c948bfa57199f762f49e4913a1f385aea3bdf2
SHA512eee46e6d10a868fd00b34d58f6476ebf3b7182f35fc01dd4223b3dcf51d6a0667425f2743cebac37c7f7381178ea339a05c1031fb55063d08f061d4700ab1f3f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5fc0195c3fbc9d1ba19811d3c36b2bea4
SHA1d618abf74712f8730fbad1d0988d1c30e1ec036b
SHA2560c2837a2d107e6f9b508e63a48da7ef89e902907df6102a9de2fd2509316f739
SHA51201423a0dd12ce2b337ef97087073945c9282cc0c51d8be12c43425e3357292b92f29ed43af52e7d6ff34adbb1cc10f8b34d2362995b3a9248bad71337b92d965