Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-09-2024 00:39
Static task
static1
Behavioral task
behavioral1
Sample
e5d9afc15dbafccf2423aef31f8b1a8d_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e5d9afc15dbafccf2423aef31f8b1a8d_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e5d9afc15dbafccf2423aef31f8b1a8d_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e5d9afc15dbafccf2423aef31f8b1a8d
-
SHA1
7d0e689cff29f6a950c249692e7b0ef554c3136d
-
SHA256
bda3cfc35a9ce7e10e42d2e3f85004b9d193c0cbb57542dfb9f5861628ad4b89
-
SHA512
c0366640b4f05866968bdd0e061563a927f568f5a6d90925670a275944471aadcccfe7f3d74a0b4fee649bfc9db9e0d337948ad85c2a223e41847b6effbf3639
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3346) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2700 mssecsvc.exe 2832 mssecsvc.exe 888 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BE5D420-6FD5-408D-A235-247144713D6B}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-04-8e-7a-ce-1e\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BE5D420-6FD5-408D-A235-247144713D6B} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BE5D420-6FD5-408D-A235-247144713D6B}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-04-8e-7a-ce-1e mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-04-8e-7a-ce-1e\WpadDecisionTime = 00b2eb059a08db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BE5D420-6FD5-408D-A235-247144713D6B}\WpadDecisionTime = 00b2eb059a08db01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BE5D420-6FD5-408D-A235-247144713D6B}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8BE5D420-6FD5-408D-A235-247144713D6B}\ae-04-8e-7a-ce-1e mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ae-04-8e-7a-ce-1e\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2120 2232 rundll32.exe 30 PID 2232 wrote to memory of 2120 2232 rundll32.exe 30 PID 2232 wrote to memory of 2120 2232 rundll32.exe 30 PID 2232 wrote to memory of 2120 2232 rundll32.exe 30 PID 2232 wrote to memory of 2120 2232 rundll32.exe 30 PID 2232 wrote to memory of 2120 2232 rundll32.exe 30 PID 2232 wrote to memory of 2120 2232 rundll32.exe 30 PID 2120 wrote to memory of 2700 2120 rundll32.exe 31 PID 2120 wrote to memory of 2700 2120 rundll32.exe 31 PID 2120 wrote to memory of 2700 2120 rundll32.exe 31 PID 2120 wrote to memory of 2700 2120 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5d9afc15dbafccf2423aef31f8b1a8d_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e5d9afc15dbafccf2423aef31f8b1a8d_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2700 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:888
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2832
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d9ad1c26c753906ccea5cf5941da1bac
SHA1791d00e8d01fe2b722c411992f3bf39d14456a3c
SHA2561214fda007b506dea47071cd037ac4cf4d196d6f18bcc93083607bdfce27be24
SHA512a6dddc5c8bb2ca217062339db83a9da7dab31b0f8efe19dd72801b86194294938bef45ba36d659cb49fecc162fe50d307683ba7eac8e160a201225dd1034b647
-
Filesize
3.4MB
MD53e1befae374a1a3bb80b6ef20cb85f3e
SHA1758ad920bed76647fa82334866043ae65adacdd4
SHA25645dee32ff83cb4e110d387ddb5939144e96c55429e40da2f7607edfb857a8a44
SHA51250ccbc938623e4ca4397ecc5a883ef9680afaa2600afa30f54db9e0337f3ee305e5452cae7c0ca78bf224a7fdf5e6669b79222423007138a838ada90cf94d86a