Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
84da86e1d2e59db93cc020449ce0aef2_JaffaCakes118.dll
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
84da86e1d2e59db93cc020449ce0aef2_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
84da86e1d2e59db93cc020449ce0aef2_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
84da86e1d2e59db93cc020449ce0aef2
-
SHA1
617be79d07d31f87d6b887fe98a7a8ec63dfd8fe
-
SHA256
ed243aec4fbac510675082a7fce0a6ce5cd8e72a03b9a40b2fff4b0e7ab59999
-
SHA512
754c8da11d7b912575b66b16a270c28c0f052006b09abba704d7d4c12ffb45e9e8d5ef7c0057492744eb8537db7c3b26a994575462521bb1b1feb7a2cb3cc0e4
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1Cxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3262) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1884 mssecsvc.exe 2556 mssecsvc.exe 2740 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-58-88-77-25-55 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B517D35-F6D6-4E12-88E6-94F6D9002383}\62-58-88-77-25-55 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B517D35-F6D6-4E12-88E6-94F6D9002383} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B517D35-F6D6-4E12-88E6-94F6D9002383}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-58-88-77-25-55\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-58-88-77-25-55\WpadDecisionTime = a0eea631b4b2da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f006f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B517D35-F6D6-4E12-88E6-94F6D9002383}\WpadDecisionTime = a0eea631b4b2da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-58-88-77-25-55\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B517D35-F6D6-4E12-88E6-94F6D9002383}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6B517D35-F6D6-4E12-88E6-94F6D9002383}\WpadNetworkName = "Network 3" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2792 wrote to memory of 2852 2792 rundll32.exe rundll32.exe PID 2792 wrote to memory of 2852 2792 rundll32.exe rundll32.exe PID 2792 wrote to memory of 2852 2792 rundll32.exe rundll32.exe PID 2792 wrote to memory of 2852 2792 rundll32.exe rundll32.exe PID 2792 wrote to memory of 2852 2792 rundll32.exe rundll32.exe PID 2792 wrote to memory of 2852 2792 rundll32.exe rundll32.exe PID 2792 wrote to memory of 2852 2792 rundll32.exe rundll32.exe PID 2852 wrote to memory of 1884 2852 rundll32.exe mssecsvc.exe PID 2852 wrote to memory of 1884 2852 rundll32.exe mssecsvc.exe PID 2852 wrote to memory of 1884 2852 rundll32.exe mssecsvc.exe PID 2852 wrote to memory of 1884 2852 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84da86e1d2e59db93cc020449ce0aef2_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\84da86e1d2e59db93cc020449ce0aef2_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1884 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2740
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2556
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5578eb8fa583e8d83d5f0d6508e8fb697
SHA119f84ec6b1af6e86779ba906d5cb8c14b6e59444
SHA25626ac122e4ca4996097239f68e39c0f3e7b408bd9da310f93acd3580d230b379e
SHA512d5214ea210af6da37bd99ecbd31cec6d0acc538dc50420f76e36bd09ee7ed7ad762b534967dd339ca4e7d3a2b9b44ef61d4488a974b5a2dbbbc14c13c028499f
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f82f074d53d2ba14b7586a07695d906b
SHA1953059990000fddd84401154ddb9b65df8e84f31
SHA256d00c1de93a5682a9d50b200a4e4ec8af7f881f8efe26daf78e54d2f9bd3f4104
SHA512d62786d5116da508ff4d6432ba927d5462114a4582f78906052ebebd1a3b40a6afff599fa37edacebb89caf11ca4eb52b4b4422d3cc1cfc6099e3b3bd49a0e65