Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 16:27
Static task
static1
Behavioral task
behavioral1
Sample
e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e5283d7cad73eeb1085e3759669f7133
-
SHA1
e66ac36a28e118fcd4a317df4960e4c21c573f42
-
SHA256
222300534ae7c6e8390677ed8f46a5fdf0623e9cd1cec973ef36d3a33d618f6e
-
SHA512
c7f36a4379c78cf57ddc324422f121bd5e7164ce1e296368c09b07bfabcadca8bea4eb43e35d931c94b61ac128c6cdd1617b9c79ec363df1dbca64b6d8f84ebd
-
SSDEEP
98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9E93R8yAVp2H:TDqPe1Cxcxk3ZAEUaIR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3216) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2488 mssecsvc.exe 1804 mssecsvc.exe 3028 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe mssecsvc.exe File created C:\WINDOWS\mssecsvc.exe rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-38-da-65-d0-d6 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F9B18BA-532E-49B7-B80E-ACBF3B97A8B2}\12-38-da-65-d0-d6 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F9B18BA-532E-49B7-B80E-ACBF3B97A8B2} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F9B18BA-532E-49B7-B80E-ACBF3B97A8B2}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F9B18BA-532E-49B7-B80E-ACBF3B97A8B2}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-38-da-65-d0-d6\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F9B18BA-532E-49B7-B80E-ACBF3B97A8B2}\WpadDecisionTime = f0cea2595508db01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9F9B18BA-532E-49B7-B80E-ACBF3B97A8B2}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00cf000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-38-da-65-d0-d6\WpadDecisionTime = f0cea2595508db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-38-da-65-d0-d6\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2988 wrote to memory of 2196 2988 rundll32.exe 30 PID 2988 wrote to memory of 2196 2988 rundll32.exe 30 PID 2988 wrote to memory of 2196 2988 rundll32.exe 30 PID 2988 wrote to memory of 2196 2988 rundll32.exe 30 PID 2988 wrote to memory of 2196 2988 rundll32.exe 30 PID 2988 wrote to memory of 2196 2988 rundll32.exe 30 PID 2988 wrote to memory of 2196 2988 rundll32.exe 30 PID 2196 wrote to memory of 2488 2196 rundll32.exe 31 PID 2196 wrote to memory of 2488 2196 rundll32.exe 31 PID 2196 wrote to memory of 2488 2196 rundll32.exe 31 PID 2196 wrote to memory of 2488 2196 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5283d7cad73eeb1085e3759669f7133_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2488 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3028
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1804
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD52af2d969f584d38d43629d0b79f84091
SHA17e85ebd4b4eb232c4a308ff42df95dd1d95166bc
SHA256e29626b985d6149f9ff0f1d4ac12c0313deeb91d313f0b5b576782da7ebc83d7
SHA512bdc304abfabcbe21462b7be02e36e95eb79051a70261951baf2917f6d19d19f9f59680f6dc5f9b6a97b93643e2c361cd41d97255362a07372f719c25139eef59
-
Filesize
3.4MB
MD5f78a86fa8c5e78e6840fc0751a284d2e
SHA106140394d139c2db05e3e9f9fd5a67cc706c467a
SHA2563fac4ebb902c5af67b6a6a67732b9c4fd9c6cd8f9fb6860c023da1a68a28ac02
SHA512a63817d889c3ab74d0ef55018d22bfee9ef0365ff9f852becbda8dfb24320d45d68fd1733365a52ee031ad2b0de550bd68a8e3843ef1496de40ee36407601ae4