Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 03:31
Static task
static1
Behavioral task
behavioral1
Sample
ecc23cb522f9026997a28c38f5c80d41_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
ecc23cb522f9026997a28c38f5c80d41_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
ecc23cb522f9026997a28c38f5c80d41_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ecc23cb522f9026997a28c38f5c80d41
-
SHA1
8db667c16f8309062c91bbf753485bd92c13bf9f
-
SHA256
7b3e9d0edb86278d2fd623f6e531ace6bef63d6fe89784b058968fe630846d62
-
SHA512
176ac23a8402c686ca48da5e19c6e53d6ff37b394a8c7cea0b7d8c0a04220989d7d70c080c875aa8bec6606c7933af84025e9c2b3ad3e85a48216d33b7eb8eb0
-
SSDEEP
49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAMEcaEa:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3239) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2300 mssecsvc.exe 2708 mssecsvc.exe 2712 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{717F64BA-BD50-4BEF-9EEE-7750A2E58079}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-61-d2-f2-ff-2b mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{717F64BA-BD50-4BEF-9EEE-7750A2E58079}\da-61-d2-f2-ff-2b mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-61-d2-f2-ff-2b\WpadDecisionTime = 906d95900d0bdb01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{717F64BA-BD50-4BEF-9EEE-7750A2E58079}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-61-d2-f2-ff-2b\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0195000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{717F64BA-BD50-4BEF-9EEE-7750A2E58079} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{717F64BA-BD50-4BEF-9EEE-7750A2E58079}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\da-61-d2-f2-ff-2b\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{717F64BA-BD50-4BEF-9EEE-7750A2E58079}\WpadDecisionTime = 906d95900d0bdb01 mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2644 wrote to memory of 3052 2644 rundll32.exe 30 PID 2644 wrote to memory of 3052 2644 rundll32.exe 30 PID 2644 wrote to memory of 3052 2644 rundll32.exe 30 PID 2644 wrote to memory of 3052 2644 rundll32.exe 30 PID 2644 wrote to memory of 3052 2644 rundll32.exe 30 PID 2644 wrote to memory of 3052 2644 rundll32.exe 30 PID 2644 wrote to memory of 3052 2644 rundll32.exe 30 PID 3052 wrote to memory of 2300 3052 rundll32.exe 31 PID 3052 wrote to memory of 2300 3052 rundll32.exe 31 PID 3052 wrote to memory of 2300 3052 rundll32.exe 31 PID 3052 wrote to memory of 2300 3052 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecc23cb522f9026997a28c38f5c80d41_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecc23cb522f9026997a28c38f5c80d41_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2300 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2712
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2708
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5c41c7f9d97033d5612ce664b86575aa3
SHA1c9d9ccb26bec57c1dfff351b11cde35f2bda36d0
SHA256d097205785d6c4265ce7c4ddaeac8848fb38f7cd4405a78607b5b5bb2d539977
SHA512aa04a632e25f9750a642539298cfdc9fbc94213d8f42b03ac8721c0591933dd86df70de4b64ddaa2d75fbbe2766883928c0682b33d17742a7d0ed395a7aff60a
-
Filesize
3.4MB
MD50d53824fa26efe3041766fdff84317e4
SHA1d297b1dcb7cbb758f04677e8bb524b0d82b58887
SHA256af6a1b83122f7299a303583cebadbd223e9474833496a0d37818f4049116a3de
SHA5121bd665a1d36dc69af7b1628a397a405574bb3d9b3671173168cabca253d6370e6774a5262a3cab0e663e8bda753bd8a00c20b66ace79017a1ff39dd0e9fb2a2a