Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
30-08-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
c9f37ba6a50dbd9c6b1d151f66e7b021
-
SHA1
fd82aec0d4f6d49d860a597f7eee952e1b58448f
-
SHA256
b00dc01a768045681b399dbe9b064a71ab8e49e415211cf35edb4e8c5091595e
-
SHA512
86cc7f21693ab39def1b7efe6037be77f9690ea00fa8904d2ff408541459d23f711ed8c5cecbdf20adb96001b92841a6aeed81b9660e23350bc1769647bca5da
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5/p2H:+DqPe1Cxcxk3ZAEUadJ4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3281) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2968 mssecsvc.exe 3064 mssecsvc.exe 2696 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDecisionTime = 20a987ba77fada01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadDecisionTime = 20a987ba77fada01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\de-4d-26-0b-9d-06 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0087000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2952 2376 rundll32.exe 30 PID 2376 wrote to memory of 2952 2376 rundll32.exe 30 PID 2376 wrote to memory of 2952 2376 rundll32.exe 30 PID 2376 wrote to memory of 2952 2376 rundll32.exe 30 PID 2376 wrote to memory of 2952 2376 rundll32.exe 30 PID 2376 wrote to memory of 2952 2376 rundll32.exe 30 PID 2376 wrote to memory of 2952 2376 rundll32.exe 30 PID 2952 wrote to memory of 2968 2952 rundll32.exe 31 PID 2952 wrote to memory of 2968 2952 rundll32.exe 31 PID 2952 wrote to memory of 2968 2952 rundll32.exe 31 PID 2952 wrote to memory of 2968 2952 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c9f37ba6a50dbd9c6b1d151f66e7b021_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2696
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD538e02ec4623c82f324ecc9b43418656b
SHA138dbdf0a24b9f331177dc48a33daf62b1a6550ef
SHA256bb350eae66bfbe94e55099d78f6b5926df0bc0960cd45222da275144ebc95d94
SHA5127b68f24657bc4173cc7be3fc0daf554db81d2769d6ae5f42f77ed9b5a181c009fbd1f8cc249ef4457495bb105e864d48b8729eaadf6b0ecbe65b26599a4fa5c5
-
Filesize
3.4MB
MD5e35598dcb413a66da5474f4ac58c7dd5
SHA1ad37e1288927561e020922032d73cdc990f05a3a
SHA2565dba8d2490b4f0f7f71a0df0aff6dd4c23fd50dde7d8ae2d66a9b05e5f7b484b
SHA512955bfaf5069e880d4481e31e3577233237810b5de170b1722ec7bb9cf657f267ebfe82040a309656a9c05d658ba297422463cd69524ed125cf6b91c4699c679b