Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
31-07-2024 07:55
Static task
static1
Behavioral task
behavioral1
Sample
7bcceca57402c25aa5f2410480f6c515_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7bcceca57402c25aa5f2410480f6c515_JaffaCakes118.dll
Resource
win10v2004-20240730-en
General
-
Target
7bcceca57402c25aa5f2410480f6c515_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7bcceca57402c25aa5f2410480f6c515
-
SHA1
08913b0ce5b6357c02dbff3557f31ad317ecc753
-
SHA256
e27787a3aceac31b912f39e97d49e5bf5b2e19cc16c710a14d6943e31f3658b7
-
SHA512
653fd350b4a8a233a08c0e9f64642b49a8f9712605a30b2e18bec3e06e9785da91fa90a1bcd857382933e137a197dd6aaba1fc1b15126139f2b663a5284cecee
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAD8yAH1plAH:TDqPoBhz1aRxcSUDk36SAg8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3205) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2968 mssecsvc.exe 2032 mssecsvc.exe 2644 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
mssecsvc.exerundll32.exedescription ioc process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exemssecsvc.exemssecsvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\de-4d-26-0b-9d-06 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDecisionTime = 406560fd1ee3da01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0087000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadDecisionTime = 406560fd1ee3da01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2376 wrote to memory of 2952 2376 rundll32.exe rundll32.exe PID 2376 wrote to memory of 2952 2376 rundll32.exe rundll32.exe PID 2376 wrote to memory of 2952 2376 rundll32.exe rundll32.exe PID 2376 wrote to memory of 2952 2376 rundll32.exe rundll32.exe PID 2376 wrote to memory of 2952 2376 rundll32.exe rundll32.exe PID 2376 wrote to memory of 2952 2376 rundll32.exe rundll32.exe PID 2376 wrote to memory of 2952 2376 rundll32.exe rundll32.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe PID 2952 wrote to memory of 2968 2952 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7bcceca57402c25aa5f2410480f6c515_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7bcceca57402c25aa5f2410480f6c515_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2644
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5182c6af504b2f776e46a4d4ee2aa3471
SHA199c250cc48d9a5c79550b9f61aea3ade2cd99187
SHA256c63e0d8a241bbead89e3e4154070f523b78b509a073836497e11154a8b38b9df
SHA512b539dba594f447ceaf6d1984aa578c1990c7aab55ed4572c0b37f6d47773df99ab7f4eed1915c48055d5fcf42dfe52a63a9969568e28c1c2920538e089c05139
-
Filesize
3.4MB
MD5c614ee43316b9d409a65b91a1644429f
SHA18fb0f4ec1ebb2bb82ebd089d541ea0148f5c49a9
SHA25602e3ccd01c8b231b0179d19b1c86e374a7a4864f3762faad15f5f5077a3bc76f
SHA5120a9f3ef85398a2156f3637e9db5c31bba0ace601bdb0e238c46a3fb174b9a90f6947052b391ec9be3265076df2eb804d9cca9d5a10cc868b117be9e9ea276c4b