Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 15:56
Static task
static1
Behavioral task
behavioral1
Sample
e979124c81143e8fb75bd63e7b07df00_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e979124c81143e8fb75bd63e7b07df00_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e979124c81143e8fb75bd63e7b07df00_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e979124c81143e8fb75bd63e7b07df00
-
SHA1
54c94581e0d1c0d082a10c3d6169ebec7155efea
-
SHA256
9e714d4d43e214c28c4ad49877d849e37ac06ed3095d32ff682cbde7c15c4e9e
-
SHA512
40342b1f80e542f490ec42f4face1ebff2c2e1c94aac55f939c2b07026e5947f343487e05ea0bbc68d1d420a3a7f0b14e767b308272fb341af4e9040d06cbf93
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0Q4kqAH1pNZtA0p+9XEk:SnAQqMSPbcBVQyAH1plAH
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3248) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2076 mssecsvc.exe 988 mssecsvc.exe 2728 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B3C84FC9-9E7B-4A2E-91BE-E9C688CA8978} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B3C84FC9-9E7B-4A2E-91BE-E9C688CA8978}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B3C84FC9-9E7B-4A2E-91BE-E9C688CA8978}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-42-25-49-20-cc mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-42-25-49-20-cc\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B3C84FC9-9E7B-4A2E-91BE-E9C688CA8978}\WpadDecisionReason = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B3C84FC9-9E7B-4A2E-91BE-E9C688CA8978}\WpadDecisionTime = 50084656e309db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B3C84FC9-9E7B-4A2E-91BE-E9C688CA8978}\8a-42-25-49-20-cc mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-42-25-49-20-cc\WpadDecisionTime = 50084656e309db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0062000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-42-25-49-20-cc\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2164 2384 rundll32.exe 30 PID 2384 wrote to memory of 2164 2384 rundll32.exe 30 PID 2384 wrote to memory of 2164 2384 rundll32.exe 30 PID 2384 wrote to memory of 2164 2384 rundll32.exe 30 PID 2384 wrote to memory of 2164 2384 rundll32.exe 30 PID 2384 wrote to memory of 2164 2384 rundll32.exe 30 PID 2384 wrote to memory of 2164 2384 rundll32.exe 30 PID 2164 wrote to memory of 2076 2164 rundll32.exe 31 PID 2164 wrote to memory of 2076 2164 rundll32.exe 31 PID 2164 wrote to memory of 2076 2164 rundll32.exe 31 PID 2164 wrote to memory of 2076 2164 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e979124c81143e8fb75bd63e7b07df00_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e979124c81143e8fb75bd63e7b07df00_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2076 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2728
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD56fa3a464bd9df87c164a7650619634ba
SHA10c363ba86938102fbb55f8f0f1f2ad8a1953cc5a
SHA2564049d0b5d878855fabc4338cf8f6b8a5f7604d249c970df5b4552186601f1f5d
SHA512379512b5ceb023b78730fd3f8245413d990e4472861d8910a08baf73e291988fbb15f5d3135ba291f81b263d41cb6c0543b14c124967d4a6fc3ce2b0365f74ec
-
Filesize
3.4MB
MD5a1660f6e4fe9388cbb251ca4d6b352e6
SHA1db0686ae7886b54983fc86f876b015c59deaa0b3
SHA2567902974c078579c6e8d28694cc6026854d53fedfdc34dac83b443089529eea4c
SHA5126c432cf003dd1d04897a610f38c6b20f4acf212378803becf70dc0c3ad3197424d5fd7e17f81eeb7941f35a3e3207f3daccd13371f8d715a6277e5343471854b