Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-09-2024 00:39
Static task
static1
Behavioral task
behavioral1
Sample
f0ef77078d8bc749aa1ad95bcb39809e_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f0ef77078d8bc749aa1ad95bcb39809e_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f0ef77078d8bc749aa1ad95bcb39809e_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f0ef77078d8bc749aa1ad95bcb39809e
-
SHA1
393352ed47f06ce2f5541dbb3f4cc2be947df68d
-
SHA256
52012d343d88ac4aea4f23a56c3e88dc5d49fbb93b09d4122f3669765f83aa81
-
SHA512
4c4a55696642f966f7f9cac63840ade7f69b216efdfa5e8111b06d00387cd54bf5e886a3dc08f73d9b0817cf01c69182f79eb276d7e1966e225437821ad1baf0
-
SSDEEP
98304:dDqPoBhz1aRxcSUZk36SAEdhvxWa9P59Uc/J:dDqPe1Cxc7k3ZAEUadv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3081) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2540 mssecsvc.exe 2788 mssecsvc.exe 2308 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\WpadDecision = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\WpadNetworkName = "Network 3" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-ee-eb-14-41-9b\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-ee-eb-14-41-9b\WpadDecisionTime = 00342adb870cdb01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\WpadDecisionTime = 00342adb870cdb01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-ee-eb-14-41-9b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-ee-eb-14-41-9b\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\a2-ee-eb-14-41-9b mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2536 2408 rundll32.exe 31 PID 2408 wrote to memory of 2536 2408 rundll32.exe 31 PID 2408 wrote to memory of 2536 2408 rundll32.exe 31 PID 2408 wrote to memory of 2536 2408 rundll32.exe 31 PID 2408 wrote to memory of 2536 2408 rundll32.exe 31 PID 2408 wrote to memory of 2536 2408 rundll32.exe 31 PID 2408 wrote to memory of 2536 2408 rundll32.exe 31 PID 2536 wrote to memory of 2540 2536 rundll32.exe 32 PID 2536 wrote to memory of 2540 2536 rundll32.exe 32 PID 2536 wrote to memory of 2540 2536 rundll32.exe 32 PID 2536 wrote to memory of 2540 2536 rundll32.exe 32
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f0ef77078d8bc749aa1ad95bcb39809e_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f0ef77078d8bc749aa1ad95bcb39809e_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2540 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2308
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2788
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5bd63334b0cf37d9960cdaf9d9b906e6e
SHA194d7e008c2c80de47618ff9da673853224367b54
SHA2561c2e7c899edffa9b5e49ae17e8bc791210d180811762d27e7fd4fb85b814f650
SHA512359acd9acfa62d8081dc06e8d98aded8ab361594a4c74527867e086337de90b00c70e86f36c247988cc673eb8fbbe5d5bf03ce1126f693ec153839f5bb1d5b49
-
Filesize
3.4MB
MD525b3f59c1057b7ec22a2df41aa0a22e2
SHA1c18f662803403c51d6a008c409da62c65a890c77
SHA2567d32e4ad2e665920a3aed4e5adca29f40e1ace3c18096533bb4d445bead8d323
SHA51209f38478fb77515ffa9d14e98601e2cc9a73bcd110a230690e4e5c094ad6d05319b2a5c52b3cea08805763069f4929d4f0dfd323369164460bd22ade906ba55d