Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 12:39
Static task
static1
Behavioral task
behavioral1
Sample
e032dffe8dd0bd5689752d7fc27846d7_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e032dffe8dd0bd5689752d7fc27846d7_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e032dffe8dd0bd5689752d7fc27846d7_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e032dffe8dd0bd5689752d7fc27846d7
-
SHA1
726772e281049e0d6f49e5d61e45fce1b53fb2e2
-
SHA256
e7ce294f262e3ce1214c17e16e8cd8a18217c2815ca42c7e0b71865faa53f34b
-
SHA512
23578d60da045f542d8b1e2346fab09ec8d02d234a00502a94e561cb5d1fa6c707438e3e54116af2757c7276711c7e7b9e94af7908105a6825fba36beab42b0b
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0JAdmv1LJMfcH9PO6LLuYFkqAH1pNZtA0p+9XEk:SnAQqMSPbcBVJnvxJM0H9PpAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3346) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2652 mssecsvc.exe 2776 mssecsvc.exe 2432 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-7e-a8-51-73-ce\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5B459A47-7C4B-4E06-9D08-C7DB2197B5DC}\WpadDecisionTime = 80a93b1ea306db01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5B459A47-7C4B-4E06-9D08-C7DB2197B5DC}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-7e-a8-51-73-ce mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5B459A47-7C4B-4E06-9D08-C7DB2197B5DC}\6e-7e-a8-51-73-ce mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0173000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5B459A47-7C4B-4E06-9D08-C7DB2197B5DC}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-7e-a8-51-73-ce\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6e-7e-a8-51-73-ce\WpadDecisionTime = 80a93b1ea306db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5B459A47-7C4B-4E06-9D08-C7DB2197B5DC} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5B459A47-7C4B-4E06-9D08-C7DB2197B5DC}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2208 3064 rundll32.exe 30 PID 3064 wrote to memory of 2208 3064 rundll32.exe 30 PID 3064 wrote to memory of 2208 3064 rundll32.exe 30 PID 3064 wrote to memory of 2208 3064 rundll32.exe 30 PID 3064 wrote to memory of 2208 3064 rundll32.exe 30 PID 3064 wrote to memory of 2208 3064 rundll32.exe 30 PID 3064 wrote to memory of 2208 3064 rundll32.exe 30 PID 2208 wrote to memory of 2652 2208 rundll32.exe 31 PID 2208 wrote to memory of 2652 2208 rundll32.exe 31 PID 2208 wrote to memory of 2652 2208 rundll32.exe 31 PID 2208 wrote to memory of 2652 2208 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e032dffe8dd0bd5689752d7fc27846d7_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e032dffe8dd0bd5689752d7fc27846d7_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2652 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2432
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5825d6cd71f46a9de1b39a222c33bc228
SHA1c313d608d51f57db2e2b14edcf3443687086b25d
SHA25618cc3745d6fbabcfabeb99e74b0db8f9864e452b3c5f6be862e16d6cdfc1529b
SHA51228a149f636d31e5a90f7efeabeeff8da5e1446f2d5ee9ee87a86c7b18e20a219f2446964fa804d1e002b76ffe25f0cc76175d1540c6a3eff726fc31db077329a
-
Filesize
3.4MB
MD53f6b2b6f4108b63df0b940811605ed7f
SHA1534a0bcc3eded2460d5aab1480e118ae47559e41
SHA256a45c4f9f781324a4c0daf1fb771213400cd92cf9f7fd7e5889e775644c46ebf9
SHA5124d885d9d0f444dc6dc5c01ead8747796cd4094e3d36b23c0c2e64bb81bab1af4f1414af43454830f3797e12020f318578cb5af1a4608f3c69503fc37b1fbe431