Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 10:14
Static task
static1
Behavioral task
behavioral1
Sample
dffb92c0afe2eecda3ae8dc99f4fb5db_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
dffb92c0afe2eecda3ae8dc99f4fb5db_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
dffb92c0afe2eecda3ae8dc99f4fb5db_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
dffb92c0afe2eecda3ae8dc99f4fb5db
-
SHA1
cec78b84ec2db7a72ac9e3014938f2e4bf956761
-
SHA256
2375834bedd9f22ad5ab253ca9edfc87e864fd3c2e6292eccf7a39f30c1b8b53
-
SHA512
7a798be9c773ba8699dc4e3ce6053850220582f12847d1d1403d97fc1632944ee76db083a9f88014061967d1f69853471356eb84bfe4dad5398091f3e90aa53d
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9d593R8yAVp2gC:TDqPe1Cxcxk3ZAEUarzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3262) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2656 mssecsvc.exe 2700 mssecsvc.exe 2772 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-1e-01-08-e4-e4 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76C6F421-D53E-434D-A81E-AA9542CA7DC9}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76C6F421-D53E-434D-A81E-AA9542CA7DC9}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76C6F421-D53E-434D-A81E-AA9542CA7DC9}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-1e-01-08-e4-e4\WpadDecisionTime = 00fff0d48e06db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76C6F421-D53E-434D-A81E-AA9542CA7DC9}\WpadDecisionTime = 00fff0d48e06db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76C6F421-D53E-434D-A81E-AA9542CA7DC9}\d6-1e-01-08-e4-e4 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-1e-01-08-e4-e4\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\d6-1e-01-08-e4-e4\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{76C6F421-D53E-434D-A81E-AA9542CA7DC9} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2356 wrote to memory of 2060 2356 rundll32.exe 30 PID 2356 wrote to memory of 2060 2356 rundll32.exe 30 PID 2356 wrote to memory of 2060 2356 rundll32.exe 30 PID 2356 wrote to memory of 2060 2356 rundll32.exe 30 PID 2356 wrote to memory of 2060 2356 rundll32.exe 30 PID 2356 wrote to memory of 2060 2356 rundll32.exe 30 PID 2356 wrote to memory of 2060 2356 rundll32.exe 30 PID 2060 wrote to memory of 2656 2060 rundll32.exe 31 PID 2060 wrote to memory of 2656 2060 rundll32.exe 31 PID 2060 wrote to memory of 2656 2060 rundll32.exe 31 PID 2060 wrote to memory of 2656 2060 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dffb92c0afe2eecda3ae8dc99f4fb5db_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dffb92c0afe2eecda3ae8dc99f4fb5db_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2656 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2772
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2700
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5fccf94aa84dcb7863d69593df73b65a8
SHA13ff8506fec3e6f798cf55b566c87f37cfd0524d4
SHA256d27643502aa940f976c724f3001745cef35cfa444493bfad0f4c24b093183639
SHA51224621abd89b64c35d58eb23eb4eea9e27808a70c3192c565e2d2174ed89529b1700befed92a493aa8057dae2e6215e75970228ffb4c1ceb78cce06096f888659
-
Filesize
3.4MB
MD525b277bbd22f41feadde4d51c6919aa4
SHA100d0da1d933637af5f16f966312dff4ed0bd8f85
SHA256194f866fea27893004f7e1f241928d0319597e8d666749b2d360f3fe97a3995b
SHA5120cd34ae9b0e041f3c00023d50d211d255d286009986aaae0da1e8a5a98df12e9a15b1f3e1bedb6eef08c9995ecd1bf7afa92627bdec88f2bdea60b04539e3216