Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
24-09-2024 10:40
Static task
static1
Behavioral task
behavioral1
Sample
f375b7c1c976f31b3240c66813994ae6_JaffaCakes118.dll
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
f375b7c1c976f31b3240c66813994ae6_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f375b7c1c976f31b3240c66813994ae6_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f375b7c1c976f31b3240c66813994ae6
-
SHA1
d0f2c40644d44614c4e8491ab20ae658f554690f
-
SHA256
0fad304d3f2651eb3978f2ee99cb9d2de3b34696780b0d5f0991eca03ef81725
-
SHA512
4b245cb9fdbc0e4fab885aaf5715d090eef805b5dd8d5daca48f9eb4e9262527d76c82af2289f9a680be477f2dbacefac3e55c33a3337839e86768918664cc3f
-
SSDEEP
24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kI1LJMfcH9PO6Lvp9d:znAQqMSPbcBVQej/yxJM0H9nF
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3314) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 396 mssecsvc.exe 1696 mssecsvc.exe 1984 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E987025-7AB1-4E50-ABAB-6DABB798EAA2}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E987025-7AB1-4E50-ABAB-6DABB798EAA2}\82-16-08-26-7a-1e mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-16-08-26-7a-1e\WpadDecisionTime = f06fec406e0edb01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-16-08-26-7a-1e\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E987025-7AB1-4E50-ABAB-6DABB798EAA2} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E987025-7AB1-4E50-ABAB-6DABB798EAA2}\WpadDecisionReason = "1" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E987025-7AB1-4E50-ABAB-6DABB798EAA2}\WpadDecisionTime = f06fec406e0edb01 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{5E987025-7AB1-4E50-ABAB-6DABB798EAA2}\WpadDecision = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-16-08-26-7a-1e\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\82-16-08-26-7a-1e mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1040 2052 rundll32.exe 28 PID 2052 wrote to memory of 1040 2052 rundll32.exe 28 PID 2052 wrote to memory of 1040 2052 rundll32.exe 28 PID 2052 wrote to memory of 1040 2052 rundll32.exe 28 PID 2052 wrote to memory of 1040 2052 rundll32.exe 28 PID 2052 wrote to memory of 1040 2052 rundll32.exe 28 PID 2052 wrote to memory of 1040 2052 rundll32.exe 28 PID 1040 wrote to memory of 396 1040 rundll32.exe 29 PID 1040 wrote to memory of 396 1040 rundll32.exe 29 PID 1040 wrote to memory of 396 1040 rundll32.exe 29 PID 1040 wrote to memory of 396 1040 rundll32.exe 29
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f375b7c1c976f31b3240c66813994ae6_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f375b7c1c976f31b3240c66813994ae6_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:396 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:1984
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD5f9b167ef2037b103fc8fbc2aaf49c500
SHA12981d9b3d2bf53e7503a103c7d61c5dce32a0194
SHA256580bc13cb46b11268b6b2f7f6ab7c002e6a69d6ae0ffce76434d512f1f27ca6a
SHA512851484dd2fb92d593869960750e6f3767253dc63d9f13fdf0df6c18de528072b0d990af5913d8f5f5d3b36223c488578d168b6bf432d71422c01bd9205fa0bbb
-
Filesize
3.4MB
MD5fcc4371e7acec0a9b3e6ac7b9debeade
SHA105a9fb71fd5fd6144c697ca7a6e523d9330b3b4c
SHA2566cc40596d53333325fe7ce2bb415718035a1cf4eb819e762d79ed3297d51cd53
SHA512deb3fd026cb0ec187c517382d341c3cf1dae4cbefb7d8766053ad64a140dadc0149bf87ba751f6e4b5d23ee308ebaeb2ec0e29c8071b252d70076c6fa69d7224