Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 00:05
Static task
static1
Behavioral task
behavioral1
Sample
88cf794645baeff4a6d27baa67d81fd5_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
88cf794645baeff4a6d27baa67d81fd5_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
88cf794645baeff4a6d27baa67d81fd5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
88cf794645baeff4a6d27baa67d81fd5
-
SHA1
18f72c2a321dba6f5a81c67322f60b5db5715b27
-
SHA256
54b556f1e1d527b3da3276da03a23aa24ce4903465c20a8abe3682f1f1a4b554
-
SHA512
c91fa19254fa91ba22ee9ea289cba4c8323681cc660956032d8e86ffdca6c2f9a7b8c7c4a5edc5adb81c8890b7d9eb41fefced16af8f02e8bb952e64be4c92eb
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SADcwfpuv5p1otTyB:TDqPoBhz1aRxcSUDk36SAW5p1
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3290) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 1960 mssecsvc.exe 2540 mssecsvc.exe 2440 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8F05F8F-08BA-40DE-93BD-80EE08D70B30}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-b9-b0-30-a5-b2\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8F05F8F-08BA-40DE-93BD-80EE08D70B30}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8F05F8F-08BA-40DE-93BD-80EE08D70B30} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8F05F8F-08BA-40DE-93BD-80EE08D70B30}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8F05F8F-08BA-40DE-93BD-80EE08D70B30}\56-b9-b0-30-a5-b2 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-b9-b0-30-a5-b2\WpadDecisionTime = 3022c77bb7b3da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-b9-b0-30-a5-b2 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\56-b9-b0-30-a5-b2\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E8F05F8F-08BA-40DE-93BD-80EE08D70B30}\WpadDecisionTime = 3022c77bb7b3da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1872 wrote to memory of 2144 1872 rundll32.exe rundll32.exe PID 1872 wrote to memory of 2144 1872 rundll32.exe rundll32.exe PID 1872 wrote to memory of 2144 1872 rundll32.exe rundll32.exe PID 1872 wrote to memory of 2144 1872 rundll32.exe rundll32.exe PID 1872 wrote to memory of 2144 1872 rundll32.exe rundll32.exe PID 1872 wrote to memory of 2144 1872 rundll32.exe rundll32.exe PID 1872 wrote to memory of 2144 1872 rundll32.exe rundll32.exe PID 2144 wrote to memory of 1960 2144 rundll32.exe mssecsvc.exe PID 2144 wrote to memory of 1960 2144 rundll32.exe mssecsvc.exe PID 2144 wrote to memory of 1960 2144 rundll32.exe mssecsvc.exe PID 2144 wrote to memory of 1960 2144 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88cf794645baeff4a6d27baa67d81fd5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\88cf794645baeff4a6d27baa67d81fd5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1960 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2440
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2540
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5dde0f8b0127eb76d4f3a27ff5b732c66
SHA1246352a9436ad96da300469a3ab3bf661b918328
SHA2564592d44c0104456e6d8a1ae3d1e64feff4c0948f032ad397551e1332922188aa
SHA512e37d5a323e35a2305357812deda9418fdfeda3becb1b689272bcd36ec977554275e2d03058c68e6922af749646d289d089b074450d5db89a08f0c7ef15c3c7a7
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD511e8ffc1d71eebdc634471b7442f35a5
SHA1b41aaa0841f68e50953d519217e0b9a273148b73
SHA256a6b4981c0b286f70d4d1bb51e99c24e5eb2c153ddc85abe2546020d062259d31
SHA512687d7e7d4ecdc2cdbab27abde2a6a590629edf6142c8f93ec65e6fccd5b5081ca8ae1204420589d9397487d105cba7ab5640b2c65dc4f4c9cfa9a6d588dde0a7