Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 00:44
Static task
static1
Behavioral task
behavioral1
Sample
828a58a6beb202cc90a00c2fc6fa628e_JaffaCakes118.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
828a58a6beb202cc90a00c2fc6fa628e_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
828a58a6beb202cc90a00c2fc6fa628e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
828a58a6beb202cc90a00c2fc6fa628e
-
SHA1
3a0b356a400a83a492d9a745ce3ba87df6c74baf
-
SHA256
662d230ef492f0aa38110fe2f2af722f14aba973e52bac3b546cc41b1d430809
-
SHA512
37ed5ba3efe05b8c6bf11a0c3d72b17de4cd6a676bc13e96613ec39babb4ad2afab64a395196dbdefb51aede40f7fc547af700ff08f7fd347e22fa1a22bc4471
-
SSDEEP
49152:JnAQqMSPbcBVQnNRx+TSqTdX1HkQo6SAARdhnvxJM0H9:dDqPoB0RxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3322) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1848 mssecsvc.exe 2496 mssecsvc.exe 2508 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\8a-f5-ed-40-47-e4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-f5-ed-40-47-e4\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadDecisionTime = 70f8057e2ab2da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{30D50AEC-DD7D-4392-ACA3-54FA2CB9F4B9}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-f5-ed-40-47-e4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-f5-ed-40-47-e4\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-f5-ed-40-47-e4\WpadDecisionTime = 70f8057e2ab2da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1636 wrote to memory of 2188 1636 rundll32.exe rundll32.exe PID 1636 wrote to memory of 2188 1636 rundll32.exe rundll32.exe PID 1636 wrote to memory of 2188 1636 rundll32.exe rundll32.exe PID 1636 wrote to memory of 2188 1636 rundll32.exe rundll32.exe PID 1636 wrote to memory of 2188 1636 rundll32.exe rundll32.exe PID 1636 wrote to memory of 2188 1636 rundll32.exe rundll32.exe PID 1636 wrote to memory of 2188 1636 rundll32.exe rundll32.exe PID 2188 wrote to memory of 1848 2188 rundll32.exe mssecsvc.exe PID 2188 wrote to memory of 1848 2188 rundll32.exe mssecsvc.exe PID 2188 wrote to memory of 1848 2188 rundll32.exe mssecsvc.exe PID 2188 wrote to memory of 1848 2188 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\828a58a6beb202cc90a00c2fc6fa628e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\828a58a6beb202cc90a00c2fc6fa628e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1848 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2508
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2496
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD554fc11502709bc989596b5f55af5e571
SHA1f01953d6c85c5a4c8f4510193f817b179fdaa9f8
SHA25629383b5be37d08fb96b00e34f95029c0722fad4baf84e48cf7b199970818f223
SHA512d2d9b9970e0b75844e35fc76f585a8ddb90750c86c8458e30a5690fefe8a46461641e46471344975cdddfedd164846a5bdc2df2bc153695ba96640bba223fb00
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5b4756900de6f8253c5c3c1c0cd183834
SHA146bbd297244adc41fdb5e8e33523a8c7afdaa8cd
SHA256cf3b34035662ffdf4069f5ccd04cfcef1125ea00b4bb985ef57be987294bca8e
SHA512d018ba0f3b43d5f3cb6016f5d8819f1906ea0324f55778ad877d6cd3b665688584596d3388f2cae926899ac0d38b3db8767d5ce31daab25a9d1b7d243118250e