Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 21:09
Static task
static1
Behavioral task
behavioral1
Sample
e592dd2cae721ac8aa51f347606ada8a_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e592dd2cae721ac8aa51f347606ada8a_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e592dd2cae721ac8aa51f347606ada8a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e592dd2cae721ac8aa51f347606ada8a
-
SHA1
b383467235c9f59fe3bf02ef1072e5dcb6673d15
-
SHA256
67cab1567aff6376cad332526db12abf5843182bd625d96be7751ce3a2885b4c
-
SHA512
91d1334c3734ae0f71d5347054787337548bfc7835506098647bcfee3d2f0231daa7700c23a2d87f09e43c36a544d4ee07755e63572eeba73a817d50d2b1defe
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2jeOT1:+DqPe1Cxcxk3ZAEUadzR8yc4jeOT
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3275) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2392 mssecsvc.exe 1736 mssecsvc.exe 2464 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-45-86-c8-2d-61\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFE8583E-254A-4D24-B1BA-5A29A6D48CCF}\WpadDecisionTime = d0133cbf7c08db01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-45-86-c8-2d-61\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-45-86-c8-2d-61\WpadDecisionTime = d0133cbf7c08db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-45-86-c8-2d-61 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ea000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFE8583E-254A-4D24-B1BA-5A29A6D48CCF} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFE8583E-254A-4D24-B1BA-5A29A6D48CCF}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFE8583E-254A-4D24-B1BA-5A29A6D48CCF}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFE8583E-254A-4D24-B1BA-5A29A6D48CCF}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AFE8583E-254A-4D24-B1BA-5A29A6D48CCF}\ae-45-86-c8-2d-61 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2092 1860 rundll32.exe 30 PID 1860 wrote to memory of 2092 1860 rundll32.exe 30 PID 1860 wrote to memory of 2092 1860 rundll32.exe 30 PID 1860 wrote to memory of 2092 1860 rundll32.exe 30 PID 1860 wrote to memory of 2092 1860 rundll32.exe 30 PID 1860 wrote to memory of 2092 1860 rundll32.exe 30 PID 1860 wrote to memory of 2092 1860 rundll32.exe 30 PID 2092 wrote to memory of 2392 2092 rundll32.exe 31 PID 2092 wrote to memory of 2392 2092 rundll32.exe 31 PID 2092 wrote to memory of 2392 2092 rundll32.exe 31 PID 2092 wrote to memory of 2392 2092 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e592dd2cae721ac8aa51f347606ada8a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e592dd2cae721ac8aa51f347606ada8a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2464
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5254a847075c5a76c84051f065af16af4
SHA1b8011e7f6c60c6a10aee0bf6dc89e400a8977597
SHA25630a020af1b4e6b5b913609b99a65d4cb4038bb96118b07803058745f593c6062
SHA5123369f1e309106e89f4fc9d2a13222ebd0f06e905e9bf2e2ea7e17ae8634ae0eee314a55cc6e1e5f5a9621a880197ba0de7810fd80193f52993ba3cbe6a785801
-
Filesize
3.4MB
MD5e65b8d548d35f90e5d39f974914d4f13
SHA18efe91191f549f6923b31bfbe515807b8acf9154
SHA25679b3701623167a48ebf8a9e93026315605e67f469cf629a1ee24e8cbfbc52ba6
SHA5120d701b481e16a151028cb19212124a9a5ec39703ffc69a51b794f400fa33f30ad4d4b4f5b022e1b81f873306bdcc434c9b36f3d44d2edf77758f0262cea25bf8