Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
df36dea50835289e2bfaa623724a5c23_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
df36dea50835289e2bfaa623724a5c23_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
df36dea50835289e2bfaa623724a5c23_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
df36dea50835289e2bfaa623724a5c23
-
SHA1
d78fab0eeeca60fe2a4269ddc1e81b4b35472d01
-
SHA256
f1e276efe42dcb89b2c061bb14c68c9db8d15bc1647f849475e1796992eacbf5
-
SHA512
7281cd01b9a3efa41fd107abb55dbd3b0bdff92b7d42e51addd14998752a958dac3621f050a173adb5e753f53992861a3170577faddaf4fba8675bbb2a3d7ade
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvnUxuxZwLFGjaOgdN:TDqPe1Cxcxk3ZAETKOS02Oy
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3041) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2936 mssecsvc.exe 2856 mssecsvc.exe 2128 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-b8-31-e1-4b-89\WpadDecisionTime = 50aeb0ea4106db01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1581BD5-C9DA-45B2-B5B8-44BACB8E6E96} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1581BD5-C9DA-45B2-B5B8-44BACB8E6E96}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1581BD5-C9DA-45B2-B5B8-44BACB8E6E96}\WpadDecisionTime = 50aeb0ea4106db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1581BD5-C9DA-45B2-B5B8-44BACB8E6E96}\6e-b8-31-e1-4b-89 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1581BD5-C9DA-45B2-B5B8-44BACB8E6E96}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-b8-31-e1-4b-89\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F1581BD5-C9DA-45B2-B5B8-44BACB8E6E96}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-b8-31-e1-4b-89 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-b8-31-e1-4b-89\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2056 wrote to memory of 2160 2056 rundll32.exe 29 PID 2056 wrote to memory of 2160 2056 rundll32.exe 29 PID 2056 wrote to memory of 2160 2056 rundll32.exe 29 PID 2056 wrote to memory of 2160 2056 rundll32.exe 29 PID 2056 wrote to memory of 2160 2056 rundll32.exe 29 PID 2056 wrote to memory of 2160 2056 rundll32.exe 29 PID 2056 wrote to memory of 2160 2056 rundll32.exe 29 PID 2160 wrote to memory of 2936 2160 rundll32.exe 30 PID 2160 wrote to memory of 2936 2160 rundll32.exe 30 PID 2160 wrote to memory of 2936 2160 rundll32.exe 30 PID 2160 wrote to memory of 2936 2160 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df36dea50835289e2bfaa623724a5c23_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\df36dea50835289e2bfaa623724a5c23_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2936 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2128
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d97fa7effec66c70c1a804e56ee2d6f9
SHA166b2e23045a3528ef5a97112da44233462bbbf2b
SHA256e69f1c60f66b43b8536f267af27456b9022ebfda4e5a694b42d0d07fe9c67ee1
SHA51276965a2a0ba4974988efdc1344d6639ec71be178f59f79b9bf9fbcf5cee2810d0016207e11c4679c4c3ee18e14afc75397c2ec4033ea72973bbe014a90b79f16
-
Filesize
3.4MB
MD5a545c54887b60c7ae0468d102ff79221
SHA11db8fac4a5931060c88c077f575fbbe0e421c90a
SHA2563e190b7c5993fa42c58ca7233b5f46be6fd1621a2ab1256c93ec0398bf322424
SHA512877e2787fb798786c94d2fe7ef7860c88c4e1980f00a91d788e5c70643181a7a8deeecb529f81419971ae02957b2ad1699a808c5214d3acf75d47acc356fc3df