Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 07:06
Static task
static1
Behavioral task
behavioral1
Sample
ead11c271da8a54ab83e16665b415bda_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ead11c271da8a54ab83e16665b415bda_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
ead11c271da8a54ab83e16665b415bda_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ead11c271da8a54ab83e16665b415bda
-
SHA1
2f1a579915708ad4cc553c9277bf5e8b2b7ff674
-
SHA256
d94e28b4bd152879ab2d530b7c796054e36176b29b45a4a3375171f8a06acd40
-
SHA512
159f8ac623ba313e4468dd963c9c96f21f0f9193563e666532d742cd576c2ab78aaaed469bc75fe2b009735a87f19ed5b85fb8ab33ff02505515c3028d325dbf
-
SSDEEP
49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6S:+DqPoBhz1aRxcSUDk36S
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3332) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2336 mssecsvc.exe 2764 mssecsvc.exe 2780 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-eb-9f-ad-53-4e\WpadDecisionTime = e09d007e620adb01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C763CDB-E664-46F6-9E2E-AB178A1A44A5}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C763CDB-E664-46F6-9E2E-AB178A1A44A5} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C763CDB-E664-46F6-9E2E-AB178A1A44A5}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-eb-9f-ad-53-4e\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C763CDB-E664-46F6-9E2E-AB178A1A44A5}\WpadDecisionTime = e09d007e620adb01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C763CDB-E664-46F6-9E2E-AB178A1A44A5}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-eb-9f-ad-53-4e\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\12-eb-9f-ad-53-4e mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C763CDB-E664-46F6-9E2E-AB178A1A44A5}\12-eb-9f-ad-53-4e mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2364 wrote to memory of 796 2364 rundll32.exe 31 PID 2364 wrote to memory of 796 2364 rundll32.exe 31 PID 2364 wrote to memory of 796 2364 rundll32.exe 31 PID 2364 wrote to memory of 796 2364 rundll32.exe 31 PID 2364 wrote to memory of 796 2364 rundll32.exe 31 PID 2364 wrote to memory of 796 2364 rundll32.exe 31 PID 2364 wrote to memory of 796 2364 rundll32.exe 31 PID 796 wrote to memory of 2336 796 rundll32.exe 32 PID 796 wrote to memory of 2336 796 rundll32.exe 32 PID 796 wrote to memory of 2336 796 rundll32.exe 32 PID 796 wrote to memory of 2336 796 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ead11c271da8a54ab83e16665b415bda_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ead11c271da8a54ab83e16665b415bda_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:796 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2336 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2780
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2764
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5f3d461244caa4fa99eddb1bcd8f8e5f6
SHA1a14aa0617df55e5ea36a377bfe1b1683f322b2ca
SHA256dadfa38538399402b9ad74be92ba2d63420a38ef565831e7828fc12ec5f13a8e
SHA512f2a632840c35e098cec82e61bbb79e07b9b278677b99c0a98cc1f32777948923475389b0bee4f1e5fb4c54f32f39f83b1e03ba7f8aa130b7d77612008bd8901b
-
Filesize
3.4MB
MD5117c8579fbf9d712a4b883adecb0be5e
SHA1c37f9b721b804a7b13898888b635f97910401369
SHA2565faac8ff2211687c3d4e25d17393a308b1f720e6fa4763083de88411f83016d6
SHA5120b404ecc4eedce02c6a982d3324ece4ac995bbdd4ca4b2557999ab6e43d66591228e3d18e1cd5735f48f429ab6a85715ec1f866a471e3b766d3cf794a2b5c600