Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22-09-2024 08:41
Static task
static1
Behavioral task
behavioral1
Sample
f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f1ab4343d91972fc89d6a597b7972c14
-
SHA1
0eac99c98689df0c6d697255666942847234d50b
-
SHA256
f738a899a5bc57660de6acbe5120242323d88927b6314b66258058e7bbc6bd37
-
SHA512
f66b48a39a214295aef1b0a7c49bb62f4986dfd974214623e8f410c394ba3ca36024e1b2cb370e9d8c72150b278c94d576006e3a521d881ef5794b08c2361945
-
SSDEEP
98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P5sp2H:+DqPe1Cxcxk3ZAEUadS4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3232) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2068 mssecsvc.exe 1644 mssecsvc.exe 2944 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5046E9E1-E2EC-4C63-8138-D55078FAA18C}\WpadDecisionTime = d05f5f48cb0cdb01 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0b-99-d9-a8-3f mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0b-99-d9-a8-3f\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5046E9E1-E2EC-4C63-8138-D55078FAA18C}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0b-99-d9-a8-3f\WpadDecision = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f019f000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5046E9E1-E2EC-4C63-8138-D55078FAA18C} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5046E9E1-E2EC-4C63-8138-D55078FAA18C}\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5046E9E1-E2EC-4C63-8138-D55078FAA18C}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5046E9E1-E2EC-4C63-8138-D55078FAA18C}\e6-0b-99-d9-a8-3f mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\e6-0b-99-d9-a8-3f\WpadDecisionTime = d05f5f48cb0cdb01 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3048 wrote to memory of 2388 3048 rundll32.exe 30 PID 3048 wrote to memory of 2388 3048 rundll32.exe 30 PID 3048 wrote to memory of 2388 3048 rundll32.exe 30 PID 3048 wrote to memory of 2388 3048 rundll32.exe 30 PID 3048 wrote to memory of 2388 3048 rundll32.exe 30 PID 3048 wrote to memory of 2388 3048 rundll32.exe 30 PID 3048 wrote to memory of 2388 3048 rundll32.exe 30 PID 2388 wrote to memory of 2068 2388 rundll32.exe 31 PID 2388 wrote to memory of 2068 2388 rundll32.exe 31 PID 2388 wrote to memory of 2068 2388 rundll32.exe 31 PID 2388 wrote to memory of 2068 2388 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f1ab4343d91972fc89d6a597b7972c14_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2068 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2944
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1644
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5d2ed4595df5b1f5619f90b258eb26fb4
SHA120277158ab5e88f7dacc3e5a5cb129ed60cb2156
SHA25694d1f118a3fc9638e847598c6638d07bc059bacecaf6610fbdb8326e5350b907
SHA512013bec709ce6edfe5ea7c28731fa57c82cae40eea6b762f6063afa14d517f6cfcfc329350e9ba7f3492f3405a727895c14c8c822d01d7b2d3ec36e7836e91b14
-
Filesize
3.4MB
MD51bd09d8afb4d0c32bf8834a71d04d373
SHA121e8a2ac3d06ccfec2eae891671f2a31a58a82c8
SHA25664ce6c1b7a5976832f49e15084041160ae270487695df5bbb0390323303e4ff0
SHA5126c1509046a0660ba8c74e0ea73a9803f3787d0813c2e40140c1c9d524f6bb9822922435731f4804ba4dc7a346b8de8a1bce66b0a4879c8d4b9cd2297d8cabf01