Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 21:55
Static task
static1
Behavioral task
behavioral1
Sample
8507fffa888cdcb70e61afcf8f9ce971_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8507fffa888cdcb70e61afcf8f9ce971_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8507fffa888cdcb70e61afcf8f9ce971_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8507fffa888cdcb70e61afcf8f9ce971
-
SHA1
665c2d7f8585f9140e3569f8386419e3624b3046
-
SHA256
db7b9ab44954778378c42dbbdf8ff84e6627458c40863fc39cbe14958835e2df
-
SHA512
8bef5fc47c4dbeaa5813f49ea6db0d76850144a9a015b62bfc179045077f9f2de881e8271cc84626032a2661fba7231673a6856769a87366b1cf64300602e389
-
SSDEEP
49152:SnAQqMSPbcBVQejdvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoBhhxWa9P593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3124) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2840 mssecsvc.exe 860 mssecsvc.exe 2544 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-6b-c5-28-47-73\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-6b-c5-28-47-73\WpadDecisionTime = b034d61adcb2da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C}\WpadDecisionTime = b034d61adcb2da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-6b-c5-28-47-73 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\22-6b-c5-28-47-73\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{0AAC7CAB-7AAE-4D9E-87D0-C4C2DF82336C}\22-6b-c5-28-47-73 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2884 wrote to memory of 2528 2884 rundll32.exe rundll32.exe PID 2884 wrote to memory of 2528 2884 rundll32.exe rundll32.exe PID 2884 wrote to memory of 2528 2884 rundll32.exe rundll32.exe PID 2884 wrote to memory of 2528 2884 rundll32.exe rundll32.exe PID 2884 wrote to memory of 2528 2884 rundll32.exe rundll32.exe PID 2884 wrote to memory of 2528 2884 rundll32.exe rundll32.exe PID 2884 wrote to memory of 2528 2884 rundll32.exe rundll32.exe PID 2528 wrote to memory of 2840 2528 rundll32.exe mssecsvc.exe PID 2528 wrote to memory of 2840 2528 rundll32.exe mssecsvc.exe PID 2528 wrote to memory of 2840 2528 rundll32.exe mssecsvc.exe PID 2528 wrote to memory of 2840 2528 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8507fffa888cdcb70e61afcf8f9ce971_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8507fffa888cdcb70e61afcf8f9ce971_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2840 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2544
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:860
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD532e8eb23c3fe843ac2c05fd099ac7f74
SHA19b8ff1cbecb0cdd7eb287773af6f7725d3d21071
SHA256df40202bbdd1b9410a9384f970701a5dc56fc8cfeaac044dcc36a22a11296131
SHA5129fe1395c3ceedfde3ff36faf05334b9dd8c6f971082d1fb932749b463dd219b67bd745db730d1aa9807d79ab19d6e60e55d31e107e0deb092924d400751fbef0
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD59b31ee469a893a9a34d84630933b4901
SHA1d17c205f42eb046db63bc542fd1d8e425c44a488
SHA25631fe6348ae19871d4a757e214cf6563adb5b90e094b97ff7ea0d747271ea6aa9
SHA51255cb7a752c4f7785f394bcd5a80aecd86127a1ef8cc9fff5abe20c933ec91ae481e016fb0f5ecebe7ac50dfcb4a27417ddf21e995463a837694bc6f23762a515