Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-09-2024 19:14
Static task
static1
Behavioral task
behavioral1
Sample
e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
e9ce08afa289a2c8af4a638a753c6507
-
SHA1
90bc012dfa05a751a6889d62f6ade512583bcfda
-
SHA256
4e8eb80f86bae675ffb9249bf51adb34560917eb176558f365ed6bf178a07da1
-
SHA512
83dff55ce1b77db6b51559a2cca8ac43126d6275dfa1b6ad69aeebc458842b633249ab1734c49e2d2ea6d7be550ddc7bc39c5b3f08f698b9c088f40aa6111a19
-
SSDEEP
24576:SbLgddQhfdmMSirYbcMNgef0QeQjG/D8kIqRYSR+7H:SnAQqMSPbcBVQej/1/R+
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3084) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2188 mssecsvc.exe 1712 mssecsvc.exe 2872 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98\WpadDecisionTime = 80c98810ff09db01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7} mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadDecisionTime = 80c98810ff09db01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\02-5d-69-46-0c-98 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadDecisionReason = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2528 2060 rundll32.exe 30 PID 2060 wrote to memory of 2528 2060 rundll32.exe 30 PID 2060 wrote to memory of 2528 2060 rundll32.exe 30 PID 2060 wrote to memory of 2528 2060 rundll32.exe 30 PID 2060 wrote to memory of 2528 2060 rundll32.exe 30 PID 2060 wrote to memory of 2528 2060 rundll32.exe 30 PID 2060 wrote to memory of 2528 2060 rundll32.exe 30 PID 2528 wrote to memory of 2188 2528 rundll32.exe 31 PID 2528 wrote to memory of 2188 2528 rundll32.exe 31 PID 2528 wrote to memory of 2188 2528 rundll32.exe 31 PID 2528 wrote to memory of 2188 2528 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\e9ce08afa289a2c8af4a638a753c6507_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2188 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2872
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1712
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD531c997c17202d1aeec62329cb90dd00d
SHA1ac78f7c6f6c600f5890d7dcbf51c40b775ab4814
SHA2567bc947804a598b209e546c08afa29d8e82448fdacf4c6d147ce721c7b764181c
SHA512297351bf5f3f746d177c96582f1c856ed38410cdb4dd22d0cb5859d45ddfec7818d46885c12b41b9301a50c9a1d2532f5b3483a088050c0aafe96dad1d5df49f
-
Filesize
3.4MB
MD58d2b38e8eeafe269d053c8fd41bd5fb3
SHA109f485dd337bc79d22c211508170f4b8fec35086
SHA25647515da81eea0f2f7c0c2f54f5cab028cb00c1b3e7b7ab8333fea3e16f0de904
SHA5123c97dacb8aa6d5180840a8820127a4b6d67ae5376404ed878c61c7dae27757100d3d55c226739a15b04402cf156d88ebe9406798c5f2a3d0f8e637de43c4dfc6