Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2024 07:55
Static task
static1
Behavioral task
behavioral1
Sample
7bcceca57402c25aa5f2410480f6c515_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
7bcceca57402c25aa5f2410480f6c515_JaffaCakes118.dll
Resource
win10v2004-20240730-en
General
-
Target
7bcceca57402c25aa5f2410480f6c515_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
7bcceca57402c25aa5f2410480f6c515
-
SHA1
08913b0ce5b6357c02dbff3557f31ad317ecc753
-
SHA256
e27787a3aceac31b912f39e97d49e5bf5b2e19cc16c710a14d6943e31f3658b7
-
SHA512
653fd350b4a8a233a08c0e9f64642b49a8f9712605a30b2e18bec3e06e9785da91fa90a1bcd857382933e137a197dd6aaba1fc1b15126139f2b663a5284cecee
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAD8yAH1plAH:TDqPoBhz1aRxcSUDk36SAg8yAVp2H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2961) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 760 mssecsvc.exe 4520 mssecsvc.exe 1056 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1504 wrote to memory of 5104 1504 rundll32.exe 80 PID 1504 wrote to memory of 5104 1504 rundll32.exe 80 PID 1504 wrote to memory of 5104 1504 rundll32.exe 80 PID 5104 wrote to memory of 760 5104 rundll32.exe 83 PID 5104 wrote to memory of 760 5104 rundll32.exe 83 PID 5104 wrote to memory of 760 5104 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7bcceca57402c25aa5f2410480f6c515_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\7bcceca57402c25aa5f2410480f6c515_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:760 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1056
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4520
Network
-
Remote address:8.8.8.8:53Requestwww.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comIN AResponsewww.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comIN A104.16.166.228www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comIN A104.16.167.228
-
Remote address:104.16.166.228:80RequestGET / HTTP/1.1
Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 607
Connection: close
Server: cloudflare
CF-RAY: 8abc066179197765-LHR
-
Remote address:104.16.166.228:80RequestGET / HTTP/1.1
Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 607
Connection: close
Server: cloudflare
CF-RAY: 8abc06623e9263f1-LHR
-
Remote address:8.8.8.8:53Request88.156.103.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request228.166.16.104.in-addr.arpaIN PTRResponse
-
Request102.252.3.155.in-addr.arpaIN PTRResponse
-
Request1.252.3.155.in-addr.arpaIN PTRResponse
-
Request27.14.243.213.in-addr.arpaIN PTRResponse
-
Request1.14.243.213.in-addr.arpaIN PTRResponse
-
Request9.116.191.163.in-addr.arpaIN PTRResponse
-
Request1.116.191.163.in-addr.arpaIN PTRResponse
-
Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Request2.252.3.155.in-addr.arpaIN PTRResponse
-
Request2.116.191.163.in-addr.arpaIN PTRResponse
-
Request123.177.127.147.in-addr.arpaIN PTRResponse
-
Request1.177.127.147.in-addr.arpaIN PTRResponse
-
Request3.116.191.163.in-addr.arpaIN PTRResponse
-
Request252.191.54.34.in-addr.arpaIN PTRResponse252.191.54.34.in-addr.arpaIN PTR2521915434bcgoogleusercontentcom
-
Request1.191.54.34.in-addr.arpaIN PTRResponse1.191.54.34.in-addr.arpaIN PTR11915434bcgoogleusercontentcom
-
Request2.191.54.34.in-addr.arpaIN PTRResponse2.191.54.34.in-addr.arpaIN PTR21915434bcgoogleusercontentcom
-
Request3.191.54.34.in-addr.arpaIN PTRResponse3.191.54.34.in-addr.arpaIN PTR31915434bcgoogleusercontentcom
-
Request6.116.191.163.in-addr.arpaIN PTRResponse
-
Request5.191.54.34.in-addr.arpaIN PTRResponse5.191.54.34.in-addr.arpaIN PTR51915434bcgoogleusercontentcom
-
Request3.252.3.155.in-addr.arpaIN PTRResponse
-
Request29.243.111.52.in-addr.arpaIN PTRResponse
-
Request6.191.54.34.in-addr.arpaIN PTRResponse6.191.54.34.in-addr.arpaIN PTR61915434bcgoogleusercontentcom
-
Request8.191.54.34.in-addr.arpaIN PTRResponse8.191.54.34.in-addr.arpaIN PTR81915434bcgoogleusercontentcom
-
Request2.14.243.213.in-addr.arpaIN PTRResponse
-
Request9.191.54.34.in-addr.arpaIN PTRResponse9.191.54.34.in-addr.arpaIN PTR91915434bcgoogleusercontentcom
-
Request10.191.54.34.in-addr.arpaIN PTRResponse10.191.54.34.in-addr.arpaIN PTR101915434bcgoogleusercontentcom
-
Request8.116.191.163.in-addr.arpaIN PTRResponse
-
Request2.177.127.147.in-addr.arpaIN PTRResponse
-
Request11.191.54.34.in-addr.arpaIN PTRResponse11.191.54.34.in-addr.arpaIN PTR111915434bcgoogleusercontentcom
-
Request12.191.54.34.in-addr.arpaIN PTRResponse12.191.54.34.in-addr.arpaIN PTR121915434bcgoogleusercontentcom
-
Request13.191.54.34.in-addr.arpaIN PTRResponse13.191.54.34.in-addr.arpaIN PTR131915434bcgoogleusercontentcom
-
Request4.252.3.155.in-addr.arpaIN PTRResponse
-
Request14.191.54.34.in-addr.arpaIN PTRResponse14.191.54.34.in-addr.arpaIN PTR141915434bcgoogleusercontentcom
-
Request15.191.54.34.in-addr.arpaIN PTRResponse15.191.54.34.in-addr.arpaIN PTR151915434bcgoogleusercontentcom
-
Request16.191.54.34.in-addr.arpaIN PTRResponse16.191.54.34.in-addr.arpaIN PTR161915434bcgoogleusercontentcom
-
Request17.191.54.34.in-addr.arpaIN PTRResponse17.191.54.34.in-addr.arpaIN PTR171915434bcgoogleusercontentcom
-
Request10.116.191.163.in-addr.arpaIN PTRResponse
-
Request82.109.127.147.in-addr.arpaIN PTRResponse
-
Request1.109.127.147.in-addr.arpaIN PTRResponse
-
Request236.105.132.137.in-addr.arpaIN PTRResponse
-
Request1.105.132.137.in-addr.arpaIN PTRResponse
-
Request18.191.54.34.in-addr.arpaIN PTRResponse18.191.54.34.in-addr.arpaIN PTR181915434bcgoogleusercontentcom
-
Request134.96.42.195.in-addr.arpaIN PTRResponse
-
Request1.96.42.195.in-addr.arpaIN PTRResponse1.96.42.195.in-addr.arpaIN PTRc3845-kalitkax5ru
-
Request20.191.54.34.in-addr.arpaIN PTRResponse20.191.54.34.in-addr.arpaIN PTR201915434bcgoogleusercontentcom
-
Request21.191.54.34.in-addr.arpaIN PTRResponse21.191.54.34.in-addr.arpaIN PTR211915434bcgoogleusercontentcom
-
Request11.116.191.163.in-addr.arpaIN PTRResponse
-
Request23.191.54.34.in-addr.arpaIN PTRResponse23.191.54.34.in-addr.arpaIN PTR231915434bcgoogleusercontentcom
-
Request3.14.243.213.in-addr.arpaIN PTRResponse
-
Request5.252.3.155.in-addr.arpaIN PTRResponse
-
Request24.191.54.34.in-addr.arpaIN PTRResponse24.191.54.34.in-addr.arpaIN PTR241915434bcgoogleusercontentcom
-
Request6.177.127.147.in-addr.arpaIN PTRResponse
-
376 B 990 B 6 5
HTTP Request
GET http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/HTTP Response
200 -
376 B 990 B 6 5
HTTP Request
GET http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/HTTP Response
200 -
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 80 B 2 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 80 B 2 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
104 B 2
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
104 B 2
-
52 B 1
-
104 B 2
-
104 B 2
-
104 B 2
-
95 B 127 B 1 1
DNS Request
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
DNS Response
104.16.166.228104.16.167.228
-
72 B 158 B 1 1
DNS Request
88.156.103.20.in-addr.arpa
-
73 B 135 B 1 1
DNS Request
228.166.16.104.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5182c6af504b2f776e46a4d4ee2aa3471
SHA199c250cc48d9a5c79550b9f61aea3ade2cd99187
SHA256c63e0d8a241bbead89e3e4154070f523b78b509a073836497e11154a8b38b9df
SHA512b539dba594f447ceaf6d1984aa578c1990c7aab55ed4572c0b37f6d47773df99ab7f4eed1915c48055d5fcf42dfe52a63a9969568e28c1c2920538e089c05139
-
Filesize
3.4MB
MD5c614ee43316b9d409a65b91a1644429f
SHA18fb0f4ec1ebb2bb82ebd089d541ea0148f5c49a9
SHA25602e3ccd01c8b231b0179d19b1c86e374a7a4864f3762faad15f5f5077a3bc76f
SHA5120a9f3ef85398a2156f3637e9db5c31bba0ace601bdb0e238c46a3fb174b9a90f6947052b391ec9be3265076df2eb804d9cca9d5a10cc868b117be9e9ea276c4b