Resubmissions
26-09-2024 23:42
240926-3qeh6atgpq 1030-08-2024 18:53
240830-xjrl9azhpn 1030-08-2024 15:42
240830-s5d6tssfmm 1030-08-2024 15:38
240830-s27c7s1gld 10Analysis
-
max time kernel
109s -
max time network
114s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
30-08-2024 15:42
Static task
static1
Behavioral task
behavioral1
Sample
cb211e0f58c5a58b0a035936c7d86952_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
cb211e0f58c5a58b0a035936c7d86952_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
cb211e0f58c5a58b0a035936c7d86952_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
cb211e0f58c5a58b0a035936c7d86952
-
SHA1
e256814cd2179c95a750bd2968acec788a41c8ff
-
SHA256
0ddfe514fb8fc1f583db27be85c703fd17ffe5b196a448ec50da063ee51d21b3
-
SHA512
9436d9d128f0234b14b853515bc2e7aadac2d921a2ac0517617d39c978bc6fc39887c76494b88475f372e98e361e3c77a5418455142dec243b77220e92c58757
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5QMS1:TDqPe1Cxcxk3ZAEUad2
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2127) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1956 mssecsvc.exe 2800 mssecsvc.exe 2720 tasksche.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0075000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{60816362-584E-4B0F-ABE7-4BD28D0CCB78} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{60816362-584E-4B0F-ABE7-4BD28D0CCB78}\WpadDecisionTime = d0b45c3af3fada01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{60816362-584E-4B0F-ABE7-4BD28D0CCB78}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-80-07-34-ab-cf\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{60816362-584E-4B0F-ABE7-4BD28D0CCB78}\12-80-07-34-ab-cf mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-80-07-34-ab-cf\WpadDecisionTime = d0b45c3af3fada01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{60816362-584E-4B0F-ABE7-4BD28D0CCB78}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{60816362-584E-4B0F-ABE7-4BD28D0CCB78}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-80-07-34-ab-cf mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-80-07-34-ab-cf\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2480 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: 33 576 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 576 AUDIODG.EXE Token: 33 576 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 576 AUDIODG.EXE Token: SeDebugPrivilege 1632 taskmgr.exe -
Suspicious use of FindShellTrayWindow 40 IoCs
pid Process 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe 1632 taskmgr.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2480 EXCEL.EXE 2480 EXCEL.EXE 2480 EXCEL.EXE -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2444 wrote to memory of 2476 2444 rundll32.exe 28 PID 2444 wrote to memory of 2476 2444 rundll32.exe 28 PID 2444 wrote to memory of 2476 2444 rundll32.exe 28 PID 2444 wrote to memory of 2476 2444 rundll32.exe 28 PID 2444 wrote to memory of 2476 2444 rundll32.exe 28 PID 2444 wrote to memory of 2476 2444 rundll32.exe 28 PID 2444 wrote to memory of 2476 2444 rundll32.exe 28 PID 2476 wrote to memory of 1956 2476 rundll32.exe 29 PID 2476 wrote to memory of 1956 2476 rundll32.exe 29 PID 2476 wrote to memory of 1956 2476 rundll32.exe 29 PID 2476 wrote to memory of 1956 2476 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb211e0f58c5a58b0a035936c7d86952_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cb211e0f58c5a58b0a035936c7d86952_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1956 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2720
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2800
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2716
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3041⤵
- Suspicious use of AdjustPrivilegeToken
PID:576
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1632
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2480
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280B
MD516a7f7e3ec2b45c8f3c5057dffe86e83
SHA1e2fac6ea44a11daf4ff59bace269e7d6675c10a8
SHA256ce54658188ad0726fc5d0012ac438a9a9ff7c0454bf46ef37bc9c113b4db7678
SHA512f642774e151bb25bd2671b7713e019255828f7ba57255ccc000305029d23c924d084dfc6baf227e95ba1784d8406393683a5d365ed7552f92e00208d233784aa
-
Filesize
3.6MB
MD5bd0440ee53439be9667c4fc3b1df9ca1
SHA167be8d71b611740a9539da77d93855e77538d762
SHA25634d61c7c1e1b202d287d5c6b35a6290a187a8a63f48c27f9afca94697ccd0af8
SHA512c314b620f434a834bf8d9a49706da570623c0db5fb40b2884088384d112ff0794792d57b20e4caf984a1ed358da1e90b86c6f4284a645e13fc787a8caec827c4
-
Filesize
3.4MB
MD50b41b3e89db68f65eeb362d7abda7216
SHA1ee51190126cdca9e2a579ab12bc5ad499318a5e6
SHA25681be92900929c8d5b9eebcb7ddd4c7a939b6df532747d1a8399c1777c6e64dbf
SHA5120dd83d84397b2643b1c44a578852c7b7523fcd2c9e0bd2d91454741950a9030b9eee74861f711ab5b57382f006f45cd0e054329c90c29ec2da8b6edca53bd8d2