Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 14:07
Static task
static1
Behavioral task
behavioral1
Sample
920f8846be4136bbd172db82715ed620_JaffaCakes118.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
920f8846be4136bbd172db82715ed620_JaffaCakes118.dll
Resource
win10v2004-20240426-en
General
-
Target
920f8846be4136bbd172db82715ed620_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
920f8846be4136bbd172db82715ed620
-
SHA1
ba184c8d68968deeb7304a713fe67b03639a850d
-
SHA256
ec4159621c258d5a426905eed5a43e4b7ab5a9d3be0e05a16622ebc430c56164
-
SHA512
09cabcf9e67135de399221b3cf64de357914ac070393737be0f085cbca6ef94ba0ec7160c615e80dd106ae61f74e8b84ffa17fb5007a7db0b672b7266c1361be
-
SSDEEP
12288:yebLgPlu+QhMbaIMu7L5NVErCA4z2g6rTcbckPU82900Ve7zw+K+hq0yBt6O4LEg:zbLgddQhfdmMSirYbcMNgef0r
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3302) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 3040 mssecsvc.exe 2640 mssecsvc.exe 2528 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecisionTime = 70410976bfb5da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\5a-7a-5e-ac-ac-3b mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecisionTime = 70410976bfb5da01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0087000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2092 wrote to memory of 2732 2092 rundll32.exe rundll32.exe PID 2092 wrote to memory of 2732 2092 rundll32.exe rundll32.exe PID 2092 wrote to memory of 2732 2092 rundll32.exe rundll32.exe PID 2092 wrote to memory of 2732 2092 rundll32.exe rundll32.exe PID 2092 wrote to memory of 2732 2092 rundll32.exe rundll32.exe PID 2092 wrote to memory of 2732 2092 rundll32.exe rundll32.exe PID 2092 wrote to memory of 2732 2092 rundll32.exe rundll32.exe PID 2732 wrote to memory of 3040 2732 rundll32.exe mssecsvc.exe PID 2732 wrote to memory of 3040 2732 rundll32.exe mssecsvc.exe PID 2732 wrote to memory of 3040 2732 rundll32.exe mssecsvc.exe PID 2732 wrote to memory of 3040 2732 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\920f8846be4136bbd172db82715ed620_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\920f8846be4136bbd172db82715ed620_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3040 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2528
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\mssecsvc.exeFilesize
3.6MB
MD534098727098a3dec3d3d7d404cdd80f3
SHA1bc8f7137bf67a20726d7f3ad23051c62f1012374
SHA256c15022855bcbb1dc8b87ebe9746b912e993fde3f12aaf7812b1baa7ba1d6faeb
SHA51231489b5f9b3a83c1b1c652c248015753b41046523ab4039486d52ce24ebe752a6a805a21450e959845c94d62c2dad648aeb6449e4139b9a46685cd7d4aabfce2
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD586b8dc0e4fd2c5a82fe3d83052330ad3
SHA1e6019ec59f381b1785c3e2a582fb6c503bb80570
SHA256e04db2b525fb78b6adc528f7cdb856e18ca1db803d3a390bae7df0fb57ad03c6
SHA512a04c021f4a0e7a9ea2afaf3213c4461c69a80714d5ade8b079ff43aba30ffd0d4dd456f3d9c8ec8336102d14487ef117fa3d30774a0955aa528a2e8d2ef5ca7d