Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-09-2024 05:43
Static task
static1
Behavioral task
behavioral1
Sample
f7b1bd2aa9ce09a273243560db7bad8a_JaffaCakes118.dll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f7b1bd2aa9ce09a273243560db7bad8a_JaffaCakes118.dll
Resource
win10v2004-20240802-en
General
-
Target
f7b1bd2aa9ce09a273243560db7bad8a_JaffaCakes118.dll
-
Size
5.0MB
-
MD5
f7b1bd2aa9ce09a273243560db7bad8a
-
SHA1
2d682b3a9bf4d09d8d2fa3986cae4a194764a273
-
SHA256
67e6c96d995da1cf7052d9c27ac740c5b42fc5982b79f53ceb201b0a8f894663
-
SHA512
ab4127003fddd41abb8b50f1737b3a1552f7932724bab6d9d1c30ac1aec500b801a72873f4160c421abe7da60e60d4275dffdcf68aa583ec73abb57df082bee1
-
SSDEEP
49152:RnpEKUvxcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1pyvOBhz1aRxcSUDk36SAEdhv
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3272) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 3 IoCs
pid Process 2360 mssecsvr.exe 2184 mssecsvr.exe 2712 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 5 IoCs
description ioc Process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5PYGHDGN.txt mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\5PYGHDGN.txt mssecsvr.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\MK2MS05V.txt mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\MK2MS05V.txt mssecsvr.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat mssecsvr.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\WINDOWS\mssecsvr.exe rundll32.exe File created C:\WINDOWS\tasksche.exe mssecsvr.exe File created C:\Windows\__tmp_rar_sfx_access_check_259436901 tasksche.exe File created C:\Windows\eee.exe tasksche.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mssecsvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasksche.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadDecision = "0" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98\WpadDecisionReason = "1" mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98\WpadDecision = "0" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadDecisionTime = c07c420dd70fdb01 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" mssecsvr.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-5d-69-46-0c-98\WpadDecisionTime = c07c420dd70fdb01 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\02-5d-69-46-0c-98 mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad mssecsvr.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7} mssecsvr.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadDecisionReason = "1" mssecsvr.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EB024992-DF60-4BD3-9859-3CAA57D210B7}\WpadNetworkName = "Network 3" mssecsvr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2712 tasksche.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 1272 wrote to memory of 2188 1272 rundll32.exe 30 PID 1272 wrote to memory of 2188 1272 rundll32.exe 30 PID 1272 wrote to memory of 2188 1272 rundll32.exe 30 PID 1272 wrote to memory of 2188 1272 rundll32.exe 30 PID 1272 wrote to memory of 2188 1272 rundll32.exe 30 PID 1272 wrote to memory of 2188 1272 rundll32.exe 30 PID 1272 wrote to memory of 2188 1272 rundll32.exe 30 PID 2188 wrote to memory of 2360 2188 rundll32.exe 31 PID 2188 wrote to memory of 2360 2188 rundll32.exe 31 PID 2188 wrote to memory of 2360 2188 rundll32.exe 31 PID 2188 wrote to memory of 2360 2188 rundll32.exe 31 PID 2360 wrote to memory of 2712 2360 mssecsvr.exe 33 PID 2360 wrote to memory of 2712 2360 mssecsvr.exe 33 PID 2360 wrote to memory of 2712 2360 mssecsvr.exe 33 PID 2360 wrote to memory of 2712 2360 mssecsvr.exe 33 PID 2360 wrote to memory of 2712 2360 mssecsvr.exe 33 PID 2360 wrote to memory of 2712 2360 mssecsvr.exe 33 PID 2360 wrote to memory of 2712 2360 mssecsvr.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f7b1bd2aa9ce09a273243560db7bad8a_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f7b1bd2aa9ce09a273243560db7bad8a_JaffaCakes118.dll,#12⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2712
-
-
-
-
C:\WINDOWS\mssecsvr.exeC:\WINDOWS\mssecsvr.exe -m security1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2184
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD5c4640e5a8a68c8aa313e8127a1d797ed
SHA13fa7396d3bf4a070f426a5ac2d3928cff2dc3eaf
SHA2563d5891d7cd3c675aa40d8671866375750385ad58bf75bfc386954c3aab4ea241
SHA5120a1b1057ff7dcdfee7f86142617b2ef230f53c964c9423c48e347dcf21c8a4186ed10d1dfe1a90cbde321adf4da51865205e47800d9e59d0c1dc8db76bd3ef1c
-
Filesize
2.2MB
MD5d61fdd87eaac262a8a77080ee54edb46
SHA1121b1edae817d516515080d8c06225f34b1fce04
SHA2562777e4e00f60f7fc101c3181c782a83ec306425ce7d9e72c6e42fde2a4247168
SHA5126c520701fb7eb28e9417507f9426f2dabbd624009df8dcfab8b624b13b8041a5b88ed62fb99321ebeb2fe8c35746e541d1b88f10597d384e58f4f1811dbb05ba