Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
02-06-2024 20:41
Static task
static1
Behavioral task
behavioral1
Sample
8f5a868e8958068d3af0674ff3c24289_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8f5a868e8958068d3af0674ff3c24289_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
8f5a868e8958068d3af0674ff3c24289_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
8f5a868e8958068d3af0674ff3c24289
-
SHA1
28562bf6361ae36a4ec4963099cb8fc76a0e7ae2
-
SHA256
5e1accb4db056135990fb1afc06296e66ea0ce7395599afda6d7468bdf9d2779
-
SHA512
c83d94f466d44640fddae63ea1b4c7fe3314ebaaf86f8ed91ccd8dd83d5956bb170ec2ae2f9feb622b542d6ed5a29d61d17b52dd71fc0a0ecf8ef4085e3f4c65
-
SSDEEP
98304:dDqPoBhz1aRxcSUDk36SAEdhvxWa9P593RzPfwo:dDqPe1Cxcxk3ZAEUadzRLfw
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3119) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2280 mssecsvc.exe 2572 mssecsvc.exe 2680 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{39FFD7B2-9DA2-4408-9725-386077F80865} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0107000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{39FFD7B2-9DA2-4408-9725-386077F80865}\WpadDecisionTime = c0eac9352db5da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{39FFD7B2-9DA2-4408-9725-386077F80865}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{39FFD7B2-9DA2-4408-9725-386077F80865}\12-e8-0c-d8-7f-16 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-e8-0c-d8-7f-16 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{39FFD7B2-9DA2-4408-9725-386077F80865}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{39FFD7B2-9DA2-4408-9725-386077F80865}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-e8-0c-d8-7f-16\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-e8-0c-d8-7f-16\WpadDecisionTime = c0eac9352db5da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-e8-0c-d8-7f-16\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2860 wrote to memory of 2972 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2972 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2972 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2972 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2972 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2972 2860 rundll32.exe rundll32.exe PID 2860 wrote to memory of 2972 2860 rundll32.exe rundll32.exe PID 2972 wrote to memory of 2280 2972 rundll32.exe mssecsvc.exe PID 2972 wrote to memory of 2280 2972 rundll32.exe mssecsvc.exe PID 2972 wrote to memory of 2280 2972 rundll32.exe mssecsvc.exe PID 2972 wrote to memory of 2280 2972 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f5a868e8958068d3af0674ff3c24289_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8f5a868e8958068d3af0674ff3c24289_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2280 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2680
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2572
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5700719a2b90655e334f915d05c5ec66a
SHA18b61fcbe344355c6d964b3046fe4ee70c2c62bc8
SHA256814c2bc4ddc0dc5c88d352ccdcb29d4296e816c25c6056772d6c90a8af5b7a62
SHA512ee6353ca81500e1c7965484993389da4a6a1fbd7ede9131664f22c5b04107af46d18db2fd6fb51a5cba017c2f51dae7add0f8b1fb2bd60018b74b0876c913cc1
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5e77b6f2af12d54a10c978b7f665c11c1
SHA12cf4a829a8598234f206d682b12387ef4017a09e
SHA256edac81687e84c1433f1edcdbfb346a7b7fbb93365f98834fa6fc92821852d3e7
SHA51281bdf8ea3f116c4921982901161274ff2e476003637fcc8b4fc47e3d29f6482ecd547d383978991ff8ff7474236595241a2dd99b975ace5dd4c8ee8125bf833f