Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 21:35
Static task
static1
Behavioral task
behavioral1
Sample
8f82f0fee6f8bac750ca3685435877af_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
8f82f0fee6f8bac750ca3685435877af_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8f82f0fee6f8bac750ca3685435877af_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8f82f0fee6f8bac750ca3685435877af
-
SHA1
4b96c086e8af1de4d12dec649c7a1e1d9c37c496
-
SHA256
4940cd65dbf580e56633d052179bd0a9df2c5e41781c66db3ff197b80c8d0edf
-
SHA512
9a489d18033aef4dbf40f4f2d2fca80672896869068c62d4acbe7ffb32ade4d960d5408c47be2160099edde639b00f2cc56b7a0a7dfbae184505a12679dc3cd3
-
SSDEEP
49152:SnAQqMSPbcBVsZ6SAARdhnvxJM0H9PAMEcEEau3R8yAH1plAH:+DqPoB+6SAEdhvxWa9P5n3R8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3269) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3040 mssecsvc.exe 2872 mssecsvc.exe 2632 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68}\52-eb-ea-02-0c-24 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00df000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68}\WpadDecisionTime = 407a80db34b5da01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6E343C87-8161-4602-BBC6-EBE34AE9FD68}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24\WpadDecisionTime = 407a80db34b5da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-eb-ea-02-0c-24\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2844 wrote to memory of 3016 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 3016 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 3016 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 3016 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 3016 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 3016 2844 rundll32.exe rundll32.exe PID 2844 wrote to memory of 3016 2844 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3040 3016 rundll32.exe mssecsvc.exe PID 3016 wrote to memory of 3040 3016 rundll32.exe mssecsvc.exe PID 3016 wrote to memory of 3040 3016 rundll32.exe mssecsvc.exe PID 3016 wrote to memory of 3040 3016 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f82f0fee6f8bac750ca3685435877af_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f82f0fee6f8bac750ca3685435877af_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3040 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2632
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2872
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5f24df863ff0aec51e50bef1631aad91e
SHA129e4df8894fbca22d91c4a926b4b066cf788b66b
SHA25675d35a6428a073f9d06193777df4998a73a6fc5fd1d3772027083f02a9a8ca96
SHA51220991c55a0b5d2903ec686db641d9d4b8bc50fbd910b5b79e513aa34611a607b458092cf14e11d48d489f55b9164b1dad1483d34699a3e93558a6293f8f37821
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD527d35936d5402c27bc7f0ba2bd2647e3
SHA1e4145a3d5d04f0ed4bb9b3ee1d52185ba8b2c298
SHA256bb82a7c495994ff70cd7d067c7d396e39cb18f79b45ddc00815318ca04967170
SHA51296504f4112822e30ea56488fdbf9c33914a1ac086851eb41e70a5f75dfc37e207cfa20efabaf7bc5d7f8e49d0f03f3e5338fb4fd544bf3e448006999326d2316