Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
87bf83017d7b2f34594792febc376508_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
87bf83017d7b2f34594792febc376508_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
87bf83017d7b2f34594792febc376508_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
87bf83017d7b2f34594792febc376508
-
SHA1
604b87adbe90e17247da99159c2b2b803e19799f
-
SHA256
4e9736ddc5e3c3d5a75f65cb0f0c3e9fc545c69042d8791a52c7e7fc353d3a38
-
SHA512
6f4493ea82ad786f2680119c096ec6345c77a62e6582fdb901fb5c73e4cef20f589146daf3d2a726d346ae7001cd5467b3351af107829d04bf625f372eacdc97
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9VR8yAVp2H:TDqPe1Cxcxk3ZAEUaLR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3096) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2944 mssecsvc.exe 2612 mssecsvc.exe 2568 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\5e-dd-44-d3-61-61 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecisionTime = 505362007eb3da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00fc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9AE6BEA1-F50D-47DB-B21D-E151621223EB}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-dd-44-d3-61-61\WpadDecisionTime = 505362007eb3da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2256 wrote to memory of 2120 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2120 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2120 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2120 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2120 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2120 2256 rundll32.exe rundll32.exe PID 2256 wrote to memory of 2120 2256 rundll32.exe rundll32.exe PID 2120 wrote to memory of 2944 2120 rundll32.exe mssecsvc.exe PID 2120 wrote to memory of 2944 2120 rundll32.exe mssecsvc.exe PID 2120 wrote to memory of 2944 2120 rundll32.exe mssecsvc.exe PID 2120 wrote to memory of 2944 2120 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87bf83017d7b2f34594792febc376508_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\87bf83017d7b2f34594792febc376508_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2944 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2568
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2612
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD59719213a71970894d2a15fc00461dc91
SHA1bd8f32d2163221f0aba18a87a332718d2969efee
SHA25627998aaaa5b9c8a7845ec6b9dbcd18a3c6ee56b96c6fea2e1dc86a1ffa394eaf
SHA512861409c412fd041c897a709186e6b4d8a9a0fc2113cae716f744e113cfaab34d45791134b04835a810e338c65620fe2d492e3ae40f18cd3ee64f6d51e28b83e4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5f20ba14052ac4c88fe6ab5239b6788b8
SHA1a20f8f628a79f13256b1e8eee4ec1a37bbc19a4f
SHA25673c69cd3e333a7b6028d7ba66c48811bbba85139987d19991ea730b60c928423
SHA51253514becdd2b8f9d99154f360ef41d2dac8c9847c3d30fe053675feca181489bde2b0352b67db0c8eab810cbafeec4d00164e29101ab5d7790c461d95ec5061d