Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 17:06
Static task
static1
Behavioral task
behavioral1
Sample
e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e9965bd5de99ff82cf91603d126fa6a5
-
SHA1
01b2224fa44cf5246a1c572c2597eee1a45a6bf0
-
SHA256
33b5630ab1d80689c8644dcefd98a037027009c336ec14dfd10a214b21110333
-
SHA512
8dcd5716762beff51a9a36fd03d1385086275d9526fe6d43112c0407f66e22b9e47080361e7ad70f619a08ec07881b915ccf3d42883da93ff192995e6e941c25
-
SSDEEP
98304:+DqPoBhzTxcSUDk36SAvxWa9P593R8yAVp2H:+DqPeTxcxk3ZAYadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3215) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 708 mssecsvc.exe 1516 mssecsvc.exe 2732 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DA52D-92D5-4B5C-8652-AAFA2C8C4B1B}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a7-6d-aa-f2-ea\WpadDecisionTime = 8091d80fed09db01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DA52D-92D5-4B5C-8652-AAFA2C8C4B1B} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DA52D-92D5-4B5C-8652-AAFA2C8C4B1B}\52-a7-6d-aa-f2-ea mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DA52D-92D5-4B5C-8652-AAFA2C8C4B1B}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a7-6d-aa-f2-ea mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DA52D-92D5-4B5C-8652-AAFA2C8C4B1B}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{B10DA52D-92D5-4B5C-8652-AAFA2C8C4B1B}\WpadDecisionTime = 8091d80fed09db01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a7-6d-aa-f2-ea\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-a7-6d-aa-f2-ea\WpadDecision = "0" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2520 1732 rundll32.exe 30 PID 1732 wrote to memory of 2520 1732 rundll32.exe 30 PID 1732 wrote to memory of 2520 1732 rundll32.exe 30 PID 1732 wrote to memory of 2520 1732 rundll32.exe 30 PID 1732 wrote to memory of 2520 1732 rundll32.exe 30 PID 1732 wrote to memory of 2520 1732 rundll32.exe 30 PID 1732 wrote to memory of 2520 1732 rundll32.exe 30 PID 2520 wrote to memory of 708 2520 rundll32.exe 31 PID 2520 wrote to memory of 708 2520 rundll32.exe 31 PID 2520 wrote to memory of 708 2520 rundll32.exe 31 PID 2520 wrote to memory of 708 2520 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9965bd5de99ff82cf91603d126fa6a5_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:708 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2732
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1516
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d9202038c45f98fd99e025c07dcdff94
SHA1d657274387578a54ca74507ec7a6528468426419
SHA2565a71f2e86b516c3ea15a1fecd56c0883f0969abd3f8867f8f7b88a9a177f5a43
SHA512fe17e73e39797cb277a3c421a97668b20d698788b49a07b1c87d3741f1c6a0748487c1ddbea06db39eec027b37069dc51e7ab60eb2e746ca7c36975817b65388
-
Filesize
3.4MB
MD5c1cac710562620c5ed1b2784518fdf1f
SHA13ef49cab7c4561f95496650f3aa24619749879cc
SHA2563086a44e93c777fbf952e57884fcc00be4a043ee9aea8fdd6ddf1410e8115d1d
SHA512ae6ee4ed5916910a2a192f92716cddcfe1615da80691bb49608496037e3df264b14ff0daf0c6745ba41cb05d19d833811fd0357a0f46afbea2467ac62b078e36