Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 09:41
Static task
static1
Behavioral task
behavioral1
Sample
868f1599ae2b356fdc27bdbafae43ca6_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
868f1599ae2b356fdc27bdbafae43ca6_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
868f1599ae2b356fdc27bdbafae43ca6_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
868f1599ae2b356fdc27bdbafae43ca6
-
SHA1
bc0fdeaf919774b8b5e69a04cb6d76e852367589
-
SHA256
2afeaccb7fdf6d07c4d8f437bbb58adad9bd0b227e9349a25016bd3a115fd118
-
SHA512
1839140ef722cab5d60796e4f9a56c9caa71508e452701c22f08cd5bf090429329f315ba04bd1e13eb74f8536d067f9d70fdc7c52306f8dfa2927ad6cf2e5bcb
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAVAMEcaEau3RCgHAD:+DqPoBhz1aRxcSUDk36SA6593R
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3329) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2488 mssecsvc.exe 2552 mssecsvc.exe 2660 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\5e-dd-44-d3-61-61 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecisionTime = 20e0b2b03eb3da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecisionTime = 20e0b2b03eb3da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB} mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2160 wrote to memory of 2872 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 2872 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 2872 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 2872 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 2872 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 2872 2160 rundll32.exe rundll32.exe PID 2160 wrote to memory of 2872 2160 rundll32.exe rundll32.exe PID 2872 wrote to memory of 2488 2872 rundll32.exe mssecsvc.exe PID 2872 wrote to memory of 2488 2872 rundll32.exe mssecsvc.exe PID 2872 wrote to memory of 2488 2872 rundll32.exe mssecsvc.exe PID 2872 wrote to memory of 2488 2872 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\868f1599ae2b356fdc27bdbafae43ca6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\868f1599ae2b356fdc27bdbafae43ca6_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2488 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2660
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2552
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5b66b59512338bad332a602c2ae512451
SHA18a284481795f8138d75aa062a7d5fb4f32a796ac
SHA256aac6b21e9fe5580d72170e398fe8a66a76729a860ea710e2d826336414363438
SHA5127535a16b0ae97668e781e831f40711e54d5a535321bec00676758c7ec44a203ab1886e7e17ef0298d5496552b1f30865790eb9ac2b723555f6a9413a5830bed0
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD53fff988af3f2bcc308278678800ba203
SHA1cc767aad48dba273423ef7ab0c51025d86179135
SHA256eb66210b36f1d2c4b5588eedbf78f85b00c59a2561f21e1643f062961440eb71
SHA512e7da085c91c6b3da4111fc80cd7ecbf8f638495011f98fbb5493c7ab61257e42da8b9bdbe1da2de84d6b9f2fbd058d1b3cb50dd68d03f1fc266e8da0de8529dd