Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 10:18
Static task
static1
Behavioral task
behavioral1
Sample
ef94900545e4a455081c70c5e780fecc_JaffaCakes118.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ef94900545e4a455081c70c5e780fecc_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
ef94900545e4a455081c70c5e780fecc_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
ef94900545e4a455081c70c5e780fecc
-
SHA1
5767fc1c43a42a3e020c26d4ba76cb33827f782d
-
SHA256
154f4f786c332668051cf43aa48639129316f418a8576842cf2841984555cf72
-
SHA512
fa6d27b66206dc57d2b38a544442536159f2b37186a5ee1e7f7517295acbad26c8b1e172689caff28bf16ca3473627c322bcc264b79d03438c2d275dfa72f896
-
SSDEEP
98304:+DqPoBhz1aRxcSUD/Nj9msGxWa9P593R8yAVp2H:+DqPe1CxcxN9msZadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3336) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2656 mssecsvc.exe 2652 mssecsvc.exe 2896 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-68-ed-3f-c1-c7 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0128000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5CF0AAE7-81F7-41F2-9EB1-FD97CA33B946}\WpadDecisionTime = 206b32a40f0cdb01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5CF0AAE7-81F7-41F2-9EB1-FD97CA33B946}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5CF0AAE7-81F7-41F2-9EB1-FD97CA33B946}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5CF0AAE7-81F7-41F2-9EB1-FD97CA33B946} mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5CF0AAE7-81F7-41F2-9EB1-FD97CA33B946}\66-68-ed-3f-c1-c7 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-68-ed-3f-c1-c7\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-68-ed-3f-c1-c7\WpadDecisionTime = 206b32a40f0cdb01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5CF0AAE7-81F7-41F2-9EB1-FD97CA33B946}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-68-ed-3f-c1-c7\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2084 2640 rundll32.exe 30 PID 2640 wrote to memory of 2084 2640 rundll32.exe 30 PID 2640 wrote to memory of 2084 2640 rundll32.exe 30 PID 2640 wrote to memory of 2084 2640 rundll32.exe 30 PID 2640 wrote to memory of 2084 2640 rundll32.exe 30 PID 2640 wrote to memory of 2084 2640 rundll32.exe 30 PID 2640 wrote to memory of 2084 2640 rundll32.exe 30 PID 2084 wrote to memory of 2656 2084 rundll32.exe 31 PID 2084 wrote to memory of 2656 2084 rundll32.exe 31 PID 2084 wrote to memory of 2656 2084 rundll32.exe 31 PID 2084 wrote to memory of 2656 2084 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef94900545e4a455081c70c5e780fecc_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\ef94900545e4a455081c70c5e780fecc_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2656 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2896
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2652
Network
-
Remote address:8.8.8.8:53Requestwww.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comIN AResponsewww.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comIN A104.16.166.228www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.comIN A104.16.167.228
-
Remote address:104.16.166.228:80RequestGET / HTTP/1.1
Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 607
Connection: close
Server: cloudflare
CF-RAY: 8c695019fa17952c-LHR
-
Remote address:104.16.166.228:80RequestGET / HTTP/1.1
Host: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 607
Connection: close
Server: cloudflare
CF-RAY: 8c69501b5b48368e-LHR
-
422 B 1.0kB 7 6
HTTP Request
GET http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/HTTP Response
200 -
330 B 990 B 5 5
HTTP Request
GET http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/HTTP Response
200 -
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
52 B 1
-
104 B 80 B 2 2
-
52 B 1
-
52 B 1
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5a2813ecbc617827612128847085db806
SHA1643e4cb025b8fb6b6e7d8d3bed44294ccdc09e13
SHA256260739932a53cc3ea15c458c545f2b09ef7880379ef111c5626f58f72df8b364
SHA51202e907596f07e863226f1b4f657ec782f617dd41bf88ae995d64630108b2f855ac65b7f57a122bd736ecffb4537d324de74f48bd047a3933dc43f6e6375f29a8
-
Filesize
3.4MB
MD59a23902978100b37fc7e286c43dde290
SHA177484b1b1680088f530f056eee2f1c287cd0dc2f
SHA256eb57e1a987cfd6f90c6f23fa5d44f6f83c104370e5cef61f630ad4a3135b6571
SHA512a6efe7798214fad1878c6ec5ea4dd9f6a145fa356dbcd807968f4755c933eb2d35c7e14e03e360c98dc9e2ee0ecacb58de2131d282a67bf6e252a7f13a4e4ee5