Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 03:31
Static task
static1
Behavioral task
behavioral1
Sample
e19f1bfc80c2efd58a78e80e4b1b3abb_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e19f1bfc80c2efd58a78e80e4b1b3abb_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e19f1bfc80c2efd58a78e80e4b1b3abb_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e19f1bfc80c2efd58a78e80e4b1b3abb
-
SHA1
d198cf287892f6ea3eeef8504ec3d0d99d826d49
-
SHA256
0e1ea0693da53cd5c2cd89da3feec4b44f2caf653f461ed1f7123bb6640e3a66
-
SHA512
fa16a3face3682724f2f4caf0e22898dd2cdf77c42ace6332d48190b172e9cd17363a759688f7126a65f3a9cfe5540e94bbd61ba9e12c543252ab5a7b5f4983c
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAFaEau3R8yAFHAD:TDqPoBhz1aRxcSUDk36SAq3R8yA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3269) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2088 mssecsvc.exe 1856 mssecsvc.exe 2740 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-57-b4-c4-09-1c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{55A16186-0D08-4D6C-9D1F-AF23C6A18A9C}\7e-57-b4-c4-09-1c mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{55A16186-0D08-4D6C-9D1F-AF23C6A18A9C} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{55A16186-0D08-4D6C-9D1F-AF23C6A18A9C}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{55A16186-0D08-4D6C-9D1F-AF23C6A18A9C}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-57-b4-c4-09-1c\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{55A16186-0D08-4D6C-9D1F-AF23C6A18A9C}\WpadDecisionTime = e06040c11f07db01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{55A16186-0D08-4D6C-9D1F-AF23C6A18A9C}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-57-b4-c4-09-1c\WpadDecisionTime = e06040c11f07db01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7e-57-b4-c4-09-1c\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2236 wrote to memory of 2188 2236 rundll32.exe 30 PID 2236 wrote to memory of 2188 2236 rundll32.exe 30 PID 2236 wrote to memory of 2188 2236 rundll32.exe 30 PID 2236 wrote to memory of 2188 2236 rundll32.exe 30 PID 2236 wrote to memory of 2188 2236 rundll32.exe 30 PID 2236 wrote to memory of 2188 2236 rundll32.exe 30 PID 2236 wrote to memory of 2188 2236 rundll32.exe 30 PID 2188 wrote to memory of 2088 2188 rundll32.exe 31 PID 2188 wrote to memory of 2088 2188 rundll32.exe 31 PID 2188 wrote to memory of 2088 2188 rundll32.exe 31 PID 2188 wrote to memory of 2088 2188 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e19f1bfc80c2efd58a78e80e4b1b3abb_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e19f1bfc80c2efd58a78e80e4b1b3abb_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2088 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2740
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1856
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5ff54cd70bbbf4da8e0b839388991d544
SHA1b26ba3f15325b7a85d200c1e2ffdc8f56f52fa38
SHA2566b46ebc05bff3e1446b586518b546bfdce385ced77fd52de1ae7522b286dce72
SHA5121079b5b098ee1b154d42faa61032d423e1fcc3bc0c04cca017a22dda4ac5e38498da9cdd7e665853be094194ea03615cd5fe1f0b58dac62c14686e5be9d5c712
-
Filesize
3.4MB
MD5f4932239f899a12de4d28d42ae2b15fb
SHA12b886a35bb9f015289a4d7c6c49c0a8d17fe7826
SHA256ecbd513dbfaab4f84bee7e745fb0847bba3bee17382d014612f3ae26039d5ac0
SHA512b50073fdb9388e507b04aaffc654a3728297ba2ff7dd2dbe8ab6e9f343980b6e28b6ec5d1b2b8f7345ef4049b3bd65356115d67dc8a7be53ca28418fb85be00c