Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 20:26
Static task
static1
Behavioral task
behavioral1
Sample
8f50235eb7fea93369e15c844b9625d9_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8f50235eb7fea93369e15c844b9625d9_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8f50235eb7fea93369e15c844b9625d9_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8f50235eb7fea93369e15c844b9625d9
-
SHA1
3f14bbf01eecf59b8515dff2e3f1099668429a63
-
SHA256
23f9594f4ee3d3bba6d034e0ea1d187010a3de19b32f3769fdac6377421c605c
-
SHA512
cd90dc3a21f14b4246daf9c78b1338de644ece53421da7ff7d752475275a8982f1c42a4207e03f97cbb26a87c144db58d095e3394be6c16621780ef9da6d64ff
-
SSDEEP
98304:TDqPochz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2H:TDqPb1Cxcxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3191) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 552 mssecsvc.exe 2544 mssecsvc.exe 2748 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0122000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\WpadDecisionTime = 7094912f2bb5da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{FB11FAEB-9F3A-46BA-9E6F-59FBED2ED9EE}\02-e5-93-0e-bb-31 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-e5-93-0e-bb-31\WpadDecisionTime = 7094912f2bb5da01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3056 wrote to memory of 908 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 908 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 908 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 908 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 908 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 908 3056 rundll32.exe rundll32.exe PID 3056 wrote to memory of 908 3056 rundll32.exe rundll32.exe PID 908 wrote to memory of 552 908 rundll32.exe mssecsvc.exe PID 908 wrote to memory of 552 908 rundll32.exe mssecsvc.exe PID 908 wrote to memory of 552 908 rundll32.exe mssecsvc.exe PID 908 wrote to memory of 552 908 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f50235eb7fea93369e15c844b9625d9_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f50235eb7fea93369e15c844b9625d9_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:908 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:552 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2748
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD56f5620d2490c007b2dab42c48b0fcf10
SHA1811cb340a02cc4aa460cd79b0dce5c786ecfa7b9
SHA2563137f4e505635e3bab605983958c004a3924f48293fb056dffd416a53c23f517
SHA512f11164414b4b6ec0588723f5754cf2db42de7ac1f7f7f8871da7d337630c31eb84d9da80be782f555020cbf95e47f6dea2683b884d473bba1b550d47f82f94f9
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5efe03eea89f435009e1f887c151bb5be
SHA193c32127498e96b68502987a599198ce6696abca
SHA256a950ae49e9c64a42c2a3267b85687292121f417601f4f1833457884ae3146796
SHA512c7200efe36c799d5701c356fba3bc66fd59f3bbe7d5dba2c74be447707b0300ade6137c69cd00ff245e62093d6f714dd87f315c9ce8b39a3eddf234ecf9e9ff1