Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 03:56
Static task
static1
Behavioral task
behavioral1
Sample
9075df3b07f0c4a8456d8c0a4ee238a3_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
9075df3b07f0c4a8456d8c0a4ee238a3_JaffaCakes118.dll
Resource
win10v2004-20240226-en
General
-
Target
9075df3b07f0c4a8456d8c0a4ee238a3_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9075df3b07f0c4a8456d8c0a4ee238a3
-
SHA1
146bde116d5db4bc3fd267331a0bc471e76cf383
-
SHA256
a29bcd2e4bed2070694649cd396fc55ec9ea8d85ac353123e1300822de6f35c7
-
SHA512
2ddd4a42df2b65bbf6384da04010bcd71d262c52f7cf4d655811f7cb7ba9ff10579fbebf095b47df79368ce876d28b9f6ef5d4d88e3d76d09424898fd27df704
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYoAdNLKz6626dhWRgImGt/8CatZK:znAQqMSPbcBVQej/1INRaQyvGSIkI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3273) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2032 mssecsvc.exe 2156 mssecsvc.exe 1744 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c\WpadDecisionTime = b08080116ab5da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0080000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\WpadDecisionTime = b08080116ab5da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-eb-17-fc-7a-1c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2F260255-2E8C-4814-B1A6-ED404ED14016}\d6-eb-17-fc-7a-1c mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2248 wrote to memory of 2024 2248 rundll32.exe rundll32.exe PID 2024 wrote to memory of 2032 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 2032 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 2032 2024 rundll32.exe mssecsvc.exe PID 2024 wrote to memory of 2032 2024 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9075df3b07f0c4a8456d8c0a4ee238a3_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9075df3b07f0c4a8456d8c0a4ee238a3_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2032 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1744
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5d0ed5c9985c0199e7369af95e02a04b6
SHA1224c45266c93c34b63a21bd32cc43d0d88b21997
SHA2566d781308531574bfb81814afbc274788e5bcf382f49647f75d34c64c3964dd18
SHA51230de7972cbd6427add8ae2f90ec39ddf5b5880186aa83886abea0849edc13dd89af801ce5f16108730cf1a024ce7e6dfa65da9ae00c7a842bcdfa5c05e6c24ea
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5aa006359852192bee5625567bc884a62
SHA11892f556af3b41fc9abe57542b6a031d2706b34c
SHA2564f5642d36690d79623dd0bb89cfab51e61216f8bab4323ee09a98005a0756fda
SHA51241c603812d893cb3b3425e7ada17835f53ede64ce64a78c8b56dbe455c7dd439d3c6d3e29d36699b765ad067534e54304adcf0d128299e3d0b416f7e3c645364