Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 07:32
Static task
static1
Behavioral task
behavioral1
Sample
8d5164e216157518f63b05e5daf56553_JaffaCakes118.dll
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
8d5164e216157518f63b05e5daf56553_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
8d5164e216157518f63b05e5daf56553_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8d5164e216157518f63b05e5daf56553
-
SHA1
77369b1c0694db1b5a162d95b2aa4b86eaf36470
-
SHA256
aaca8da1381a405c9b2f153fcdfc9f0fcfc0b056ee7207e66e09730ddfe0c502
-
SHA512
cdfb806677cd6b4f938e6e919533f945d9a40acb38cf50315b8b9692fefcf75072cdb57376aed5c67fc46a2fa969c2ce3c32091659d05866a76c7a3b42475022
-
SSDEEP
98304:TDqPoBhzLcSUDk36SAEdhvxWa9U8yAVp2H:TDqPeLcxk3ZAEUay8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3294) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2428 mssecsvc.exe 2308 mssecsvc.exe 2696 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0048000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadDecisionTime = d03b850fbfb4da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F94CCB16-51A1-4C50-B23E-CC3DDCCD4A65}\7e-ee-d0-44-56-aa mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-ee-d0-44-56-aa\WpadDecisionTime = d03b850fbfb4da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 2972 2548 rundll32.exe rundll32.exe PID 2972 wrote to memory of 2428 2972 rundll32.exe mssecsvc.exe PID 2972 wrote to memory of 2428 2972 rundll32.exe mssecsvc.exe PID 2972 wrote to memory of 2428 2972 rundll32.exe mssecsvc.exe PID 2972 wrote to memory of 2428 2972 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d5164e216157518f63b05e5daf56553_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8d5164e216157518f63b05e5daf56553_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2428 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2696
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5feb55321c4b985717fb7a480fc858899
SHA18370f03467d71b178b9cd61fab27f7d3703fa49b
SHA25655a2051ada65fb43f34d5049073e9c858cee15dd9f4ca11dfcc84008076963e9
SHA512d9cf50597b51d84bd0d2503da7224ebd1f6f6dbf645b210da2e3ae7052b6fd86ca4a06a9a7be5d641803e8e9ae2192d89e3d4024afd57bdce3facba47b72a7b9
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD51326c883dcd7802b6f2a18b183071a27
SHA16508773bf1f6d363500f02e47d51d49a41efeb86
SHA2563082a0f906cbbc030609b7612f958401937f790df1ec203f67a3c446638e9423
SHA51239c1ea57e601110bb43070e3809206b3bca1d3acb3cccf1db876bdba497b10c96153f0832486880745deecc54e5e6811d2aceb6810e347156aba57f9da83ab0c