Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 02:23
Static task
static1
Behavioral task
behavioral1
Sample
e3d6846e6da6c2529459bd5f9be05e86_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e3d6846e6da6c2529459bd5f9be05e86_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e3d6846e6da6c2529459bd5f9be05e86_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e3d6846e6da6c2529459bd5f9be05e86
-
SHA1
a9f80584cbd15d95a13ace4bc8b29f844236e5cf
-
SHA256
a5faf0eea54bedaf5c0d79f670bea4967caf93340835cf38aa091ec891643b97
-
SHA512
de8ab5159227536e2970ab46f2afba9e2a9ad3c5d91ddea8517a3688a83f4827bfe24ffd3fe2f93c06effd9d39b71712c8cec7ddb61feed991fd6d253c99f34d
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdOxJM0H9PAMEcaEa:+DqPoBhz1aRxcSUwxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2392 mssecsvc.exe 2336 mssecsvc.exe 2848 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C40EB86E-213D-43C4-92F0-569BAFC6281A}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ab-f7-1e-bb-91 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ab-f7-1e-bb-91\WpadDecisionTime = a06d3062df07db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C40EB86E-213D-43C4-92F0-569BAFC6281A}\8e-ab-f7-1e-bb-91 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ab-f7-1e-bb-91\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C40EB86E-213D-43C4-92F0-569BAFC6281A}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C40EB86E-213D-43C4-92F0-569BAFC6281A}\WpadDecisionTime = a06d3062df07db01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C40EB86E-213D-43C4-92F0-569BAFC6281A} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C40EB86E-213D-43C4-92F0-569BAFC6281A}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8e-ab-f7-1e-bb-91\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2532 2352 rundll32.exe 30 PID 2352 wrote to memory of 2532 2352 rundll32.exe 30 PID 2352 wrote to memory of 2532 2352 rundll32.exe 30 PID 2352 wrote to memory of 2532 2352 rundll32.exe 30 PID 2352 wrote to memory of 2532 2352 rundll32.exe 30 PID 2352 wrote to memory of 2532 2352 rundll32.exe 30 PID 2352 wrote to memory of 2532 2352 rundll32.exe 30 PID 2532 wrote to memory of 2392 2532 rundll32.exe 31 PID 2532 wrote to memory of 2392 2532 rundll32.exe 31 PID 2532 wrote to memory of 2392 2532 rundll32.exe 31 PID 2532 wrote to memory of 2392 2532 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3d6846e6da6c2529459bd5f9be05e86_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e3d6846e6da6c2529459bd5f9be05e86_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2848
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5dee38bd6e6d47b587df7a79ab0832512
SHA10087640aded547b0a138c0cab81c90325d461de0
SHA256bce85c427a39ce11309e228167281574eb1fee9c4aa972961611f198b518fb1e
SHA512212ac2655aa8661fd31b7625eba1005c0bb439e87014094de4a02c7afe5ade2ce41418122e2c6c19ea3574a0b5a00067d81967b74d9e89647378d70162e57eda
-
Filesize
3.4MB
MD565a92b9b3ebb2ab6992ebd92a10b066f
SHA187c62a9257ba20cd3fa47c0d32495fd61c3a84bd
SHA256333087e8849b260b771d42eb89002b6717cd242034306537cf18df82082018d7
SHA5120e536375a512525589597a04f8135483f8cdb129640a2023ac616ce06970c5cb7e3707b3367c79dda64ebb87bd79d39e41c9a2ca35b3033b2a7669eb8e709c21