Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-09-2024 05:57
Static task
static1
Behavioral task
behavioral1
Sample
ecf874f3dec4b878c266f1f79c6b782f_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ecf874f3dec4b878c266f1f79c6b782f_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
ecf874f3dec4b878c266f1f79c6b782f_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ecf874f3dec4b878c266f1f79c6b782f
-
SHA1
83e08e4e744a3021701498829a6a6d16cdecaf91
-
SHA256
336122b459686f4dbb10d860c4224d7aea6161d4de9b94cad5a43793f44a5774
-
SHA512
99c1ac60af920f89b12a6d72e03b2bb688ebe2cfbb1f838103e4951afef58dc433cdc0f34d8e349c0e91e0e4fc066cac20cbe4bcd9ee5dc4610b0ef69cc043eb
-
SSDEEP
98304:+DqPoBhz1aRxcSUDkEQv9Snm1tnr7I593R8yAVp2H:+DqPe1CxcxkEQv9Snm1tnr7IzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3261) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 1080 mssecsvc.exe 2272 mssecsvc.exe 3036 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f012b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-ee-23-51-c7-65 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-ee-23-51-c7-65\WpadDecisionTime = 00c3ceeb210bdb01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-ee-23-51-c7-65\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4293FF0F-0CAD-4D9F-A450-CB251F22B9F3} mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4293FF0F-0CAD-4D9F-A450-CB251F22B9F3}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4293FF0F-0CAD-4D9F-A450-CB251F22B9F3}\WpadDecisionTime = 00c3ceeb210bdb01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4293FF0F-0CAD-4D9F-A450-CB251F22B9F3}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4293FF0F-0CAD-4D9F-A450-CB251F22B9F3}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4293FF0F-0CAD-4D9F-A450-CB251F22B9F3}\f2-ee-23-51-c7-65 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-ee-23-51-c7-65\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1740 2380 rundll32.exe 29 PID 2380 wrote to memory of 1740 2380 rundll32.exe 29 PID 2380 wrote to memory of 1740 2380 rundll32.exe 29 PID 2380 wrote to memory of 1740 2380 rundll32.exe 29 PID 2380 wrote to memory of 1740 2380 rundll32.exe 29 PID 2380 wrote to memory of 1740 2380 rundll32.exe 29 PID 2380 wrote to memory of 1740 2380 rundll32.exe 29 PID 1740 wrote to memory of 1080 1740 rundll32.exe 30 PID 1740 wrote to memory of 1080 1740 rundll32.exe 30 PID 1740 wrote to memory of 1080 1740 rundll32.exe 30 PID 1740 wrote to memory of 1080 1740 rundll32.exe 30
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecf874f3dec4b878c266f1f79c6b782f_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ecf874f3dec4b878c266f1f79c6b782f_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1080 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:3036
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a39bbd5df277ccaa4c4b3313ab521ae3
SHA1a7216aa454b203cd0cf6ce7c9da276db19a12583
SHA256d451244d05dd302813b76f0296242280f4afc241e6dfa511a86ee63ad834585b
SHA512b074b4a46caa7cdcd67dfbe7d92daa201f562fa48f2de13716c3412be180301986a539573487fdae55f9b6143e907fbe5f701dc48aa4dd7aaa72493c947aa1df
-
Filesize
3.4MB
MD5e365fbb7d6c0fa05bdf10470e1c50aca
SHA13f983ab41dc8631112ffe0e7e4532c301372d6d3
SHA25664c098ded3d1dd72a78541f7b7228f2f051b4be9a5bb6d4a8fbce37a2ed37e1c
SHA5128554a6373d1d3fcc16999370e6352478cf6fd1138726985c5fc24b9bf7a3be621353ded90f8e369bf44c241a7fba7bfdc8c7fe3ddaff3de98865f62cab84d6f1