Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15-08-2024 15:48
Static task
static1
Behavioral task
behavioral1
Sample
9aa42e3fba9d860fd23c3dc54cf65d0b_JaffaCakes118.dll
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
9aa42e3fba9d860fd23c3dc54cf65d0b_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
9aa42e3fba9d860fd23c3dc54cf65d0b_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
9aa42e3fba9d860fd23c3dc54cf65d0b
-
SHA1
9f3f0fb62e637becd3e275488a5de4859a8291da
-
SHA256
70b3ec5075e19af0268511d678b08543fe3de151d1d0a5d48fd4ae7254000acf
-
SHA512
5e0cae37f7aba85027c13851b2716e774d4f9b0ee78ca06e3feb048bdfb99910e0c9ccc9429a3ff59f21bd915c99f21ba0f620b7a67ddba96381de1e88f4cbd9
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0aEaut/8uME7A4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBVaEau3R8yAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3276) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
Processes:
mssecsvc.exemssecsvc.exetasksche.exepid process 2152 mssecsvc.exe 2688 mssecsvc.exe 2712 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
mssecsvc.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
Processes:
rundll32.exemssecsvc.exedescription ioc process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exemssecsvc.exemssecsvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
mssecsvc.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20D651D1-BF6D-4E8F-AEC5-0D5B1D697711}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-9a-16-fd-74-16 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20D651D1-BF6D-4E8F-AEC5-0D5B1D697711}\5e-9a-16-fd-74-16 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-9a-16-fd-74-16\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-9a-16-fd-74-16\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20D651D1-BF6D-4E8F-AEC5-0D5B1D697711}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ae000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20D651D1-BF6D-4E8F-AEC5-0D5B1D697711} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20D651D1-BF6D-4E8F-AEC5-0D5B1D697711}\WpadDecisionTime = c047b08d2aefda01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{20D651D1-BF6D-4E8F-AEC5-0D5B1D697711}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5e-9a-16-fd-74-16\WpadDecisionTime = c047b08d2aefda01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3016 wrote to memory of 3036 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3036 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3036 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3036 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3036 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3036 3016 rundll32.exe rundll32.exe PID 3016 wrote to memory of 3036 3016 rundll32.exe rundll32.exe PID 3036 wrote to memory of 2152 3036 rundll32.exe mssecsvc.exe PID 3036 wrote to memory of 2152 3036 rundll32.exe mssecsvc.exe PID 3036 wrote to memory of 2152 3036 rundll32.exe mssecsvc.exe PID 3036 wrote to memory of 2152 3036 rundll32.exe mssecsvc.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9aa42e3fba9d860fd23c3dc54cf65d0b_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9aa42e3fba9d860fd23c3dc54cf65d0b_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2152 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2712
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5e5d1c3b34c5fa1ae6b90d08b426931c9
SHA144d64748f60e1a9c61530969070bcea5b3fe0707
SHA2565a28c3c4f968bceeee332d8ed4541c5d1c9da03ee7561eda4128727afe1be6e3
SHA512ac71ed61bd29be16611702c403f4a3cd694693bee077918b20a7e70c6460291718c59c6f9b5fd868c5d5b3b98842fcfd799e26c1071dacf7d24209f21fe288c4
-
Filesize
3.4MB
MD515762976a59f2f89078b97fcf77d2633
SHA130292f8d27c657dd061866a18527918c884ef3e5
SHA25613863a87bd97603a0264a54d80215cac6f7a0793d97d324c14eef5b13e8cfa51
SHA512dce1430ee138d23b75bba664bf2561cdf7dd6af2cf6925b14a41bd2ba52f6ab1bc6816bfb346662a404948962d21e400ee06dfe2ad95121a55b66aa4b6b995ae