Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-09-2024 11:07
Static task
static1
Behavioral task
behavioral1
Sample
e257c4df597850a5f8ae0d6958058073_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e257c4df597850a5f8ae0d6958058073_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e257c4df597850a5f8ae0d6958058073_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e257c4df597850a5f8ae0d6958058073
-
SHA1
b882682ae8172635ec290a0b52b6a00e7dab3fdf
-
SHA256
31dc3260893218b8f2c0b0dc8005dc19d0ea2445828146398502a7a3ecd13335
-
SHA512
118f9ff9dcf564cee406d0b57d14758765050056cb745fec5a19c79924442c4dbed79dba63b35ae823e06dee9c7f71554616ad39fdf2f740cec10f53c7956662
-
SSDEEP
98304:+DqPoBQRxcSUDk36SAEdhvxWa9P593R8yAVp2:+DqP7xcxk3ZAEUadzR8yc4
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3253) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2388 mssecsvc.exe 2076 mssecsvc.exe 336 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3247DA03-7135-4143-A1C6-E68F4A41A472}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3247DA03-7135-4143-A1C6-E68F4A41A472}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3247DA03-7135-4143-A1C6-E68F4A41A472} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3247DA03-7135-4143-A1C6-E68F4A41A472}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-38-5d-a2-de-36 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-38-5d-a2-de-36\WpadDecisionTime = 003eff835f07db01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3247DA03-7135-4143-A1C6-E68F4A41A472}\WpadDecisionTime = 003eff835f07db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3247DA03-7135-4143-A1C6-E68F4A41A472}\ce-38-5d-a2-de-36 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-38-5d-a2-de-36\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ce-38-5d-a2-de-36\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1292 wrote to memory of 2428 1292 rundll32.exe 30 PID 1292 wrote to memory of 2428 1292 rundll32.exe 30 PID 1292 wrote to memory of 2428 1292 rundll32.exe 30 PID 1292 wrote to memory of 2428 1292 rundll32.exe 30 PID 1292 wrote to memory of 2428 1292 rundll32.exe 30 PID 1292 wrote to memory of 2428 1292 rundll32.exe 30 PID 1292 wrote to memory of 2428 1292 rundll32.exe 30 PID 2428 wrote to memory of 2388 2428 rundll32.exe 31 PID 2428 wrote to memory of 2388 2428 rundll32.exe 31 PID 2428 wrote to memory of 2388 2428 rundll32.exe 31 PID 2428 wrote to memory of 2388 2428 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e257c4df597850a5f8ae0d6958058073_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e257c4df597850a5f8ae0d6958058073_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2388 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:336
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2076
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD50c8d6696eb10e1b05fbc19778770a231
SHA1b0f909a35883753ff75a53802cdd85bb3d25e8c1
SHA256a091a04020d3663536d37152a1a8610c9cb720a90f481c2e02d913a57ef24c92
SHA512b38186f7e5adfb674a8b0a024a26f57aa399239ce851d397e354223035e4cb7fe7c519eef36ed75d1e42e12b82203a935a42f5d08da0ffaacb1e630216344c3a
-
Filesize
3.4MB
MD505d88bb878550c22e3aaf330e7e07724
SHA1f826bbe8a19ad1688e56d2ef6debca1eaca8dd4a
SHA256733da0e6b0c8287759b967437156b8b5693ba581373f031a076df5e97daf60aa
SHA512567fb9010cb53dc7d0174888b91d0cb651d8ce56b794e006b719d2089961db211a43de41f06205a82da3d1913244d710201fb6a0f1678058c96b6683238221ed