Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 04:07
Static task
static1
Behavioral task
behavioral1
Sample
85ee37ea174b466e6a55c36e7e5104a4_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
85ee37ea174b466e6a55c36e7e5104a4_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
85ee37ea174b466e6a55c36e7e5104a4_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
85ee37ea174b466e6a55c36e7e5104a4
-
SHA1
2ca84a45c50c6664ee928eeb3a3cfc6bdf954226
-
SHA256
0c3056c18e3201b7963d4a9e9fe1560271562095f5ea43245a38bdbc38f3cdc7
-
SHA512
db3487b1b482908de15391bcbae0389729b4dae16f53d7e538643b860b66d8b7e963478992fe791004ba5987121dc13df62b47eebfd2192f185dcbab277465a1
-
SSDEEP
98304:+DqPoBhz13RxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqPe1hxcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3032) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2184 mssecsvc.exe 2824 mssecsvc.exe 2276 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-43-0f-be-be-1b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-43-0f-be-be-1b\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A}\96-43-0f-be-be-1b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-43-0f-be-be-1b\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\96-43-0f-be-be-1b\WpadDecisionTime = 0009640710b3da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0073000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{21375391-3F4D-4558-8330-637CD890942A}\WpadDecisionTime = 0009640710b3da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2320 wrote to memory of 2220 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2220 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2220 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2220 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2220 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2220 2320 rundll32.exe rundll32.exe PID 2320 wrote to memory of 2220 2320 rundll32.exe rundll32.exe PID 2220 wrote to memory of 2184 2220 rundll32.exe mssecsvc.exe PID 2220 wrote to memory of 2184 2220 rundll32.exe mssecsvc.exe PID 2220 wrote to memory of 2184 2220 rundll32.exe mssecsvc.exe PID 2220 wrote to memory of 2184 2220 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85ee37ea174b466e6a55c36e7e5104a4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\85ee37ea174b466e6a55c36e7e5104a4_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2184 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2276
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2824
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD55433df247f251572a8ce800369692d55
SHA1d731ac55b841044b41edc21f95e671494f56a1bd
SHA2569539c79cbc93bd3c8d47bb28e5559dd659578efdd68d23b5a532253789b94780
SHA512ca9b4feaca57a9b3d079fee12323936c98d705753a642e96691c7873c3fbade7ec3591aa822f7a5f05b7c696f9f481ab45d18f82ed7da8cfea12ec5abb203c5b
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53bacffc806936ef8a8a9c960b49acc32
SHA15489a7cd1dafd8ef73e7d79fe14bf2f3abb85205
SHA256f70cef584695bc233c392b39fe252cac5a44158940dc330db98ec9c6426fa5e1
SHA5129d80fe87cdd24641bd33a22609010072b8dd3608b3180ffc82c0179253da04bebebfeefe49b9983ec2be17e82ec3f9637fb2dfc13b2ec250c7747cb68db2d633