Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 17:37
Static task
static1
Behavioral task
behavioral1
Sample
87c8440c3cfd05b8126be71c3c7bded7_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
87c8440c3cfd05b8126be71c3c7bded7_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
87c8440c3cfd05b8126be71c3c7bded7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
87c8440c3cfd05b8126be71c3c7bded7
-
SHA1
a0c5c62a42a1f4dc9c4c44b406573433d29404cc
-
SHA256
3900e9bb9625a1ec98483deb1afc5833f09d6fe4dd5bc0114a8b72668030daee
-
SHA512
75f2d0e2eda7cb11bf11211651a161af239214901c9eafd5038c6742344ba85e56b824e3cfa94e9ee506605eec8198319a6308bc65c046aff53b60f2c4e9c495
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+DHeQYSUjEXFo:zbLgddQhfdmMSirYbcMNgef0QeQjG/
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3078) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2392 mssecsvc.exe 2252 mssecsvc.exe 2824 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00d7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC657CE2-4C82-418F-A42D-ADE852ACB211}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-41-ac-be-8c-37\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-41-ac-be-8c-37\WpadDecisionTime = 80b3884681b3da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC657CE2-4C82-418F-A42D-ADE852ACB211}\WpadDecisionTime = 80b3884681b3da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC657CE2-4C82-418F-A42D-ADE852ACB211}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC657CE2-4C82-418F-A42D-ADE852ACB211}\62-41-ac-be-8c-37 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-41-ac-be-8c-37\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\62-41-ac-be-8c-37 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC657CE2-4C82-418F-A42D-ADE852ACB211} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FC657CE2-4C82-418F-A42D-ADE852ACB211}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1700 wrote to memory of 2496 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2496 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2496 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2496 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2496 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2496 1700 rundll32.exe rundll32.exe PID 1700 wrote to memory of 2496 1700 rundll32.exe rundll32.exe PID 2496 wrote to memory of 2392 2496 rundll32.exe mssecsvc.exe PID 2496 wrote to memory of 2392 2496 rundll32.exe mssecsvc.exe PID 2496 wrote to memory of 2392 2496 rundll32.exe mssecsvc.exe PID 2496 wrote to memory of 2392 2496 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87c8440c3cfd05b8126be71c3c7bded7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87c8440c3cfd05b8126be71c3c7bded7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2392 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2824
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2252
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD54d60318b27f6af7a1a131fc8bc52b965
SHA1b09bb69d4c0b322bc59f4166bca4bf43446dba35
SHA2565b099c0d9d228f0e3573dd952f1c99b4a95c178ace1c5b275b1b0737066780f4
SHA512b0cbd09e7805d2d2b48a83cd6323071d3a566bd24c87636a0ad29557983bc8c6c03c659cfd2023a19fc03bbf819d7f026e7b5399890c9ee53f69429e5a92aafc
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD549939551a41924a3fff56a1c726c0c95
SHA1b5560efadeae1227315988aeb64d236d0e7a3a37
SHA2565e97deb1965ae0ca224e129a4ffbd0cfd1ff75e1eff8fe726cedea892a46a4cb
SHA512b47255ec93c1def63e6252d16403425323e824b598aefbf07075b6377065e25a02ee93f968be0ced0279311cceaea5b376a1b49b7207e589005f639e932aa4b6