Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 03:54
Static task
static1
Behavioral task
behavioral1
Sample
8ccf7186457ef4c6b372d6054d689cc8_JaffaCakes118.dll
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
8ccf7186457ef4c6b372d6054d689cc8_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8ccf7186457ef4c6b372d6054d689cc8_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8ccf7186457ef4c6b372d6054d689cc8
-
SHA1
792b666fa116514853768e023f0b7c91192e3c84
-
SHA256
8586e3c76dfc9508e5f673b60c4074bc350975818bfc4341f52d3d2e21c9df37
-
SHA512
592f5ecacdec4dc95d1fe920399d583bbef60a16251d03bea338f607906baaad340891d41f1d3485487e0434079e017cda2741c64a01d3f6e6e8ce07666459b3
-
SSDEEP
49152:SnAQqMSPbcBVAx+TSqTdX1HkQo6SAARdhnvxJM0H9:+DqPoBKxcSUDk36SAEdhvxWa9
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2404 mssecsvc.exe 3032 mssecsvc.exe 2708 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc\WpadDecisionTime = 20500793a0b4da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00dc000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\WpadDecisionTime = 20500793a0b4da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C4BD23DC-E7FE-4C42-999E-0FA57D2A1D0F}\32-0d-03-16-96-cc mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-0d-03-16-96-cc\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1992 wrote to memory of 876 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 876 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 876 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 876 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 876 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 876 1992 rundll32.exe rundll32.exe PID 1992 wrote to memory of 876 1992 rundll32.exe rundll32.exe PID 876 wrote to memory of 2404 876 rundll32.exe mssecsvc.exe PID 876 wrote to memory of 2404 876 rundll32.exe mssecsvc.exe PID 876 wrote to memory of 2404 876 rundll32.exe mssecsvc.exe PID 876 wrote to memory of 2404 876 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8ccf7186457ef4c6b372d6054d689cc8_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8ccf7186457ef4c6b372d6054d689cc8_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:876 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2404 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2708
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD501196b7babbd92db305bf7c1643c9dfa
SHA1e46de9f00c5226e0a6607a66cb7d0efa8c8c7ce9
SHA2566ce5bb76a661cac4696de397d4d2ddefd4e4bb1ac991b78dd1006e5e636a44ee
SHA5125939693ff2de7c2a5539e78db9a3533dedcc54b93cf1279792359520ffb5133a3f39ac07a732a4b9bcb5038b0fa22f41ce803a627d3da46acf20cfbdde1c99ee
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51e3436bc7ad4399c8819a010c8cef49f
SHA17b013c417faa3251e66d050cd5e304fd4c5fa712
SHA2565cbe015349c04206635fdbecabfe7a6b027142f22dcfe2e01ae299e2c2181389
SHA512b4a673b791a5668802cb817196e4018858b89da3305be6546e33b3fa805c20aff487536345b89987cc800a6f11f6b29376e56ae9b818ded64948ea2222731b99