Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 22:21
Static task
static1
Behavioral task
behavioral1
Sample
8fa0e5dd92185799b73cbfab3da3e919_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8fa0e5dd92185799b73cbfab3da3e919_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8fa0e5dd92185799b73cbfab3da3e919_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8fa0e5dd92185799b73cbfab3da3e919
-
SHA1
f7ef4a029a5563e85c14ffdf74437cef17d50c5a
-
SHA256
82be7312055ea06867784fd3fa9483133f6ae2abb0a16903c701283646ac7eab
-
SHA512
2d7b6c4586fbf240eb4d9c68c4a03fc4d04b06029ce9f903910d54a49e0ce6b95fd45f42a9a3c14b4b416f2a6cc41f44160376f7bbb2304d38cd27e99c79c29c
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3147) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 944 mssecsvc.exe 2580 mssecsvc.exe 2624 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9ECBF1B-8F11-491E-8771-8158E9B31F54} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-4a-90-9c-11-bc\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9ECBF1B-8F11-491E-8771-8158E9B31F54}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9ECBF1B-8F11-491E-8771-8158E9B31F54}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9ECBF1B-8F11-491E-8771-8158E9B31F54}\ee-4a-90-9c-11-bc mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-4a-90-9c-11-bc\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-4a-90-9c-11-bc mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-4a-90-9c-11-bc\WpadDecisionTime = c041382b3bb5da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f003d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9ECBF1B-8F11-491E-8771-8158E9B31F54}\WpadDecisionTime = c041382b3bb5da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B9ECBF1B-8F11-491E-8771-8158E9B31F54}\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2848 wrote to memory of 2036 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2036 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2036 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2036 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2036 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2036 2848 rundll32.exe rundll32.exe PID 2848 wrote to memory of 2036 2848 rundll32.exe rundll32.exe PID 2036 wrote to memory of 944 2036 rundll32.exe mssecsvc.exe PID 2036 wrote to memory of 944 2036 rundll32.exe mssecsvc.exe PID 2036 wrote to memory of 944 2036 rundll32.exe mssecsvc.exe PID 2036 wrote to memory of 944 2036 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8fa0e5dd92185799b73cbfab3da3e919_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8fa0e5dd92185799b73cbfab3da3e919_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:944 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2624
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD57ab2e9b50ae7c528ce1493fc200e3ab9
SHA138fc3bf5b29d0cf31db1939ef2ef82303e753c24
SHA256a16a1402166b323430f3d22a3fecc7f391f39c17f1e0d5ba7a811bb9e5bbda37
SHA512e4607883a0a319a8f024e23175aa8714f4a9a072774ebd9cc1738dd4555226556ccfa2291a1681bed4fcad64025d16968cf9c2825831ef7dc5560572e9c585d4
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD54010ed868053c1710ef899ba78a1b58e
SHA128ae50c078df192aea783cf011795d05ef4dbe54
SHA256116af23f7b32a512fee8f982993005edc34cb973551b71fdb0c215b745f5b589
SHA512a80d0c83b36081f163394a559d3a0d2b468ddae87dd91f22b008197a54c142f17d751cb5f966c0b838b44c14294ab9fced79462b8b78a5cac109f7913a977413