Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 06:17
Static task
static1
Behavioral task
behavioral1
Sample
e1deb818ce0ec6b71634d1c46d41d7b4_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
e1deb818ce0ec6b71634d1c46d41d7b4_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e1deb818ce0ec6b71634d1c46d41d7b4_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e1deb818ce0ec6b71634d1c46d41d7b4
-
SHA1
064c8156b32115de90de97015d5ac61c3ac65045
-
SHA256
c57649669ee9311d3e52ee536a38bb9731279f9e657718cd22110be01267a432
-
SHA512
75b0b55e62ba42e03eb5a200febcef0fc218dd84887526e62bbde0d15ad1422d37036214a9f23978112e57fc779c209ecaff3a87a29abe56afa1dbf16c91df78
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEc:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3258) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1300 mssecsvc.exe 2952 mssecsvc.exe 2224 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0f-6b-52-b9-26\WpadDecisionTime = 600703f33607db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\e6-0f-6b-52-b9-26 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0f-6b-52-b9-26\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0f-6b-52-b9-26\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0125000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\WpadDecisionTime = 600703f33607db01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{CB7F8597-7AEA-4992-9284-338F00D4AEB2}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0f-6b-52-b9-26 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1096 wrote to memory of 3024 1096 rundll32.exe 30 PID 1096 wrote to memory of 3024 1096 rundll32.exe 30 PID 1096 wrote to memory of 3024 1096 rundll32.exe 30 PID 1096 wrote to memory of 3024 1096 rundll32.exe 30 PID 1096 wrote to memory of 3024 1096 rundll32.exe 30 PID 1096 wrote to memory of 3024 1096 rundll32.exe 30 PID 1096 wrote to memory of 3024 1096 rundll32.exe 30 PID 3024 wrote to memory of 1300 3024 rundll32.exe 31 PID 3024 wrote to memory of 1300 3024 rundll32.exe 31 PID 3024 wrote to memory of 1300 3024 rundll32.exe 31 PID 3024 wrote to memory of 1300 3024 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1deb818ce0ec6b71634d1c46d41d7b4_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e1deb818ce0ec6b71634d1c46d41d7b4_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1300 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2224
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2952
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c6c5d82b78b441d3ea620ad93f82387b
SHA101d183659885faa8fe1adbcec810b80b679e5800
SHA256c3bbf2ebdffac24fda24289d47ba01b50d85f5fdd0e7d7d9d389427256fda14f
SHA512fd0115f47aa373c74c1f727fbaac3c2fa2ae877ae69d587668297e174a1f47e5a20f5b0f5ddd4e6c7e6fd5a74a3793ae1287de4695a0f860841bfbe76236007f
-
Filesize
3.4MB
MD5df3b3b0fec9986f94729d695c0def7d8
SHA1e8f57b3ed28c6079988319d037ee26c6f435251d
SHA256d67beea4e4b3fdac097709114a9b4a6a1218d0d5f65cc10b45ca0a24dd41f38b
SHA512d0fe55b1df92105a2f1df446bf3d87d82c93d145631b5480c76b6d1a900f7aaa63d17bcff6c9fc0f77282172dc531834870f08f850010f3757b1fc4f265b87b9