Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 23:25
Static task
static1
Behavioral task
behavioral1
Sample
f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f954b974b717c77f377f9efe747fbac1
-
SHA1
16db73d8089233d16c0454f7833d6345d15da871
-
SHA256
be82a36ff7a1f80fdd04123552815fc4e4cd61b7791f42240c08976b525fa546
-
SHA512
f715d51082c61fcc0749886cbb9afb3d635b5cb314f99b56eec1663d279c403f0d655cd985eb5799472dd2ab7276e9252751733464032a96313e9fa3f566ef61
-
SSDEEP
98304:+DqPoBhz1ScSUDk36SAEdhvxWa9P593R8yAVp2H:+DqPe1Scxk3ZAEUadzR8yc4H
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3284) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2380 mssecsvc.exe 2396 mssecsvc.exe 2712 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvc.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\WINDOWS\mssecsvc.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvc.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvc.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BA9497-8993-41F9-92AC-E412C1C006FA}\WpadNetworkName = "Network 3" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-a9-8c-9e-68-5b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-a9-8c-9e-68-5b\WpadDecisionReason = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BA9497-8993-41F9-92AC-E412C1C006FA}\26-a9-8c-9e-68-5b mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-a9-8c-9e-68-5b\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BA9497-8993-41F9-92AC-E412C1C006FA} mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BA9497-8993-41F9-92AC-E412C1C006FA}\WpadDecisionReason = "1" mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BA9497-8993-41F9-92AC-E412C1C006FA}\WpadDecision = "0" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvc.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{53BA9497-8993-41F9-92AC-E412C1C006FA}\WpadDecisionTime = 3069ad5b6b10db01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\26-a9-8c-9e-68-5b\WpadDecisionTime = 3069ad5b6b10db01 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvc.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f006a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 1524 wrote to memory of 2716 1524 rundll32.exe 30 PID 1524 wrote to memory of 2716 1524 rundll32.exe 30 PID 1524 wrote to memory of 2716 1524 rundll32.exe 30 PID 1524 wrote to memory of 2716 1524 rundll32.exe 30 PID 1524 wrote to memory of 2716 1524 rundll32.exe 30 PID 1524 wrote to memory of 2716 1524 rundll32.exe 30 PID 1524 wrote to memory of 2716 1524 rundll32.exe 30 PID 2716 wrote to memory of 2380 2716 rundll32.exe 31 PID 2716 wrote to memory of 2380 2716 rundll32.exe 31 PID 2716 wrote to memory of 2380 2716 rundll32.exe 31 PID 2716 wrote to memory of 2380 2716 rundll32.exe 31
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f954b974b717c77f377f9efe747fbac1_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2380 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
PID:2712
-
-
-
-
C:\WINDOWS\mssecsvc.exeC:\WINDOWS\mssecsvc.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.6MB
MD569762a3f6b71e9ba5afb0f7c4a162e94
SHA1004a5ea2cefe96c4a4d7cb461bb225b93d82a8f3
SHA2566656d1b3958a6a5b2a30abc7f43908e291e081dfa557152e0c06a04a90890eca
SHA512a7a080f4aeb56d72df5d5ee81387b61133de3b9f0d1b430fd6b7e35c4f0e8c9d34138a93e1c1d665e979c6200bfef81665257855b5cb08a5164a85906d391b6b
-
Filesize
3.4MB
MD54b6bc9ea17de240e52381814b492d436
SHA1e625b78de22525b4913b384e6271a40342b6f394
SHA256f2eaeca5d307d4265ce81a652f3c2777e49d61af9902614476b471b87c7e0f60
SHA512d38c6df79a1a81a45de83e2a772fbabc06cd43ad45cc81730e888d6fa20acf959d4ac0ef8fdba4cb1fcb958ded4f9a77df76f208f2d8118b75ee00556889e2b2