Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 18:51
Static task
static1
Behavioral task
behavioral1
Sample
ebfb728ffde51b0e9a3d38405074679a_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ebfb728ffde51b0e9a3d38405074679a_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
ebfb728ffde51b0e9a3d38405074679a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ebfb728ffde51b0e9a3d38405074679a
-
SHA1
1e2c51318de80dd2cbb8bcc3f0fa22417d9a2bd1
-
SHA256
9f8f4ebbd390496cd0e5e3a6a7d2463aee01ea04f7bfb5b21c71b3d4e046215c
-
SHA512
38026242a37d7deecb2d71a32b0989cbd26718e244630bcd6a6b6939ed3848784949846a6c6ecd5ad8c6c6345099ce43c285fc3c3f91ae8fe64e85c96eea3db6
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWao8yAVp2H:+DqPe1Cxcxk3ZAEUao8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3103) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2084 mssecsvc.exe 2772 mssecsvc.exe 2708 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-3b-ff-8f-95-2c\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BF6718-92A5-4F1A-8083-46CA22CF3C00} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BF6718-92A5-4F1A-8083-46CA22CF3C00}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-3b-ff-8f-95-2c mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-3b-ff-8f-95-2c\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BF6718-92A5-4F1A-8083-46CA22CF3C00}\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0121000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BF6718-92A5-4F1A-8083-46CA22CF3C00}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BF6718-92A5-4F1A-8083-46CA22CF3C00}\WpadDecisionTime = 405ff5f5c40adb01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-3b-ff-8f-95-2c\WpadDecisionTime = 405ff5f5c40adb01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BF6718-92A5-4F1A-8083-46CA22CF3C00}\4a-3b-ff-8f-95-2c mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2732 wrote to memory of 2096 2732 rundll32.exe 31 PID 2732 wrote to memory of 2096 2732 rundll32.exe 31 PID 2732 wrote to memory of 2096 2732 rundll32.exe 31 PID 2732 wrote to memory of 2096 2732 rundll32.exe 31 PID 2732 wrote to memory of 2096 2732 rundll32.exe 31 PID 2732 wrote to memory of 2096 2732 rundll32.exe 31 PID 2732 wrote to memory of 2096 2732 rundll32.exe 31 PID 2096 wrote to memory of 2084 2096 rundll32.exe 32 PID 2096 wrote to memory of 2084 2096 rundll32.exe 32 PID 2096 wrote to memory of 2084 2096 rundll32.exe 32 PID 2096 wrote to memory of 2084 2096 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ebfb728ffde51b0e9a3d38405074679a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ebfb728ffde51b0e9a3d38405074679a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2084 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2708
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2772
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5cdf9c25e9f9c243dd20a8c826085cdbb
SHA140d6aebc5bbac4ac516dff1a9fdd28ea269d48bf
SHA25690ce98041b8f81d2b8621366b989a4abbfde8b0cad3ff920a69d05e5ea679761
SHA5123297995a94453f864c15c49ba5695390efae60013769429b7d49e23b20f48f9a54dbdaf6ce603e7e58b279c99b236b1c52303f87cfb18d2530ddf9c113a6cab7
-
Filesize
3.4MB
MD5cdb0ff22ab61c1d2e5d84c6c2ee01588
SHA1847109df9dd940d1b49359f3165858c1b7ba5ea3
SHA2569a4099a2b821109f1a24fb54eb4851a7bdbaa5d95085ac41db79d5ee8a844f70
SHA5129eb2f265aee595c839208c9681657d31543a7ae555b3693fd6b67b5879d01b4dbf756fba54a27454574d77cbddf3b0610e1c6fb498de8d137636b7ec490c0067