Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 00:10
Static task
static1
Behavioral task
behavioral1
Sample
82757113021bc81bcc9dace94d7d8726_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
82757113021bc81bcc9dace94d7d8726_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
82757113021bc81bcc9dace94d7d8726_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
82757113021bc81bcc9dace94d7d8726
-
SHA1
24caa6dd2f562a46bdf5031ad6bfa2160d4abb7a
-
SHA256
0057bcf838743b5103b1778e94accd5aec82bd22f55a5734bd18141a4717c21a
-
SHA512
94587ffc5c01496625b6888a90a7867ada021d28fc22cd386f3b656db7676d041046848fc8fb9cc69e2b9301db5359f7a73d5632bb6faf718d8b29444c0846d1
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRK9PAMEcaEau3R8yAH1plAH:+DqPoBhz1aRK9P593R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3220) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2300 mssecsvc.exe 2872 mssecsvc.exe 2620 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32338235-6B2C-4E86-9D3B-C707F6B2A751}\WpadDecisionTime = 50d346d225b2da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32338235-6B2C-4E86-9D3B-C707F6B2A751}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0083000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32338235-6B2C-4E86-9D3B-C707F6B2A751}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-dc-4f-6f-14-be mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32338235-6B2C-4E86-9D3B-C707F6B2A751} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32338235-6B2C-4E86-9D3B-C707F6B2A751}\f2-dc-4f-6f-14-be mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-dc-4f-6f-14-be\WpadDecisionTime = 50d346d225b2da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{32338235-6B2C-4E86-9D3B-C707F6B2A751}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-dc-4f-6f-14-be\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-dc-4f-6f-14-be\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1612 wrote to memory of 2032 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 2032 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 2032 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 2032 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 2032 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 2032 1612 rundll32.exe rundll32.exe PID 1612 wrote to memory of 2032 1612 rundll32.exe rundll32.exe PID 2032 wrote to memory of 2300 2032 rundll32.exe mssecsvc.exe PID 2032 wrote to memory of 2300 2032 rundll32.exe mssecsvc.exe PID 2032 wrote to memory of 2300 2032 rundll32.exe mssecsvc.exe PID 2032 wrote to memory of 2300 2032 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82757113021bc81bcc9dace94d7d8726_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\82757113021bc81bcc9dace94d7d8726_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2300 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2620
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD591f86c8cf2d0cf260ddeb53320b1d520
SHA15fa35242052b381269be86eee0680fd4a71ec06b
SHA25609d251770c1156ad754725b1691d7d529ec4ada2926a2663b5ab408a8734e547
SHA5129258e65eb7dff1e004ea4bb4ed171d6a25a1e8d34521603c7d54487987aa32f2c54b6216708c358262c90a7365ba8475d35f6ddfdc89c782a36cd421e1005984
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5c74de0e7c8b012d9f50f24a6bec16a5c
SHA1b75a5ccb3afe0d3874ad3870b1379e8de348604b
SHA25671c9cd49a782c4a67f2dfa686443a835e27f858c54a70bee2bf6c02d69b5111a
SHA51225b6e91942eb70c63f74d3652ea80f6588f39ad48d89b2efcfaef5809a4a8e96a22a854dd7f377e6d40b14285aa47081009ed6761256a7c1946a3726e388eca2