Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 06:09
Static task
static1
Behavioral task
behavioral1
Sample
90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll
Resource
win10v2004-20240508-en
General
-
Target
90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
90c8869e6e9d1f1b1b1f221fb032e218
-
SHA1
dcad9af675d7b34dab3e48d880ea9c7caed17e19
-
SHA256
d95046fcae8f8b55b9a2c5af4f06f1355a7540af084ac4246ca576115f8b892b
-
SHA512
3cd7847e617048af2e369ef1f93687ca02e60ca3aa1f874a25c3ed9f1b334bcad2cf71ccb3aef025d76dfd6c7a378b2c599a67b14641a5275cdf2df012843baf
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef09EcpcL7nEaut/8uME7A4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBV9EcaEau3R8yAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3186) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3068 mssecsvc.exe 2316 mssecsvc.exe 2620 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f008c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\3e-be-35-c3-05-ad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad\WpadDecisionTime = 807f97917cb5da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadDecisionTime = 807f97917cb5da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CF0BD60E-B27B-44C3-9A9C-D62E829F52A5}\WpadNetworkName = "Network 2" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3e-be-35-c3-05-ad\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2552 wrote to memory of 2740 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 2740 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 2740 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 2740 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 2740 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 2740 2552 rundll32.exe rundll32.exe PID 2552 wrote to memory of 2740 2552 rundll32.exe rundll32.exe PID 2740 wrote to memory of 3068 2740 rundll32.exe mssecsvc.exe PID 2740 wrote to memory of 3068 2740 rundll32.exe mssecsvc.exe PID 2740 wrote to memory of 3068 2740 rundll32.exe mssecsvc.exe PID 2740 wrote to memory of 3068 2740 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\90c8869e6e9d1f1b1b1f221fb032e218_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3068 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2620
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD5425027950eceb3ef8618a41d4c2c7561
SHA1699a7ca5c7d80efe6686626e3cb0dead45c160fa
SHA256aecbe9a152fa04a3d621917d9dbf46a00d0f48832ef72763d8a36e7d741e3f69
SHA51267d9198eaeb7d223ea63468155df4398a52f00c8fa8a04806476e37f81a1a6b1040df5bd826c335ccb8f063834067a38cb912dc58841699207550a836c4662ac
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD50d69feba1b77be64ffe3e073ceac533a
SHA1a24bbc7d295954433f2f2b897bc4c48a3bab698a
SHA2560bba41a3a33d8a913dd6ef84a371661da83d724a191f7cb2fa09753f913b80df
SHA51283e4e65cf686235020ee2bcabd6f90be81a35a8d43f90d671f22a6136b41c0b1ffcc13416d6c2a7de02362a2dd288fe3058e4e4d924544117b0c675f2dde5259