Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
15f52fa392a8b4b15b338aa77842624d
-
SHA1
918613244d6e0bd95c1f588b9797e1c40f69bcbf
-
SHA256
260dd2a52674913188e9ab661bec987c7f421fcb028aeacd6c20f7f2e2acaa30
-
SHA512
351ca5f6693c06087b3fac40fb96fdbb426dc9c552b0c3bfb9ab5c5d10c85099e9638a3cde7f7f12cdd25803610724751c4620753431f56b54e73194c1f08e4c
-
SSDEEP
49152:2nAQqMSPbcBVQej/1IiRdhnvxJM0H9PAMEcaEau3R8yAH1plAHI:yDqPoBhz1ZdhvxWa9P593R8yAVp2HI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3273) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 2472 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exedescription ioc process File created C:\WINDOWS\tasksche.exe 15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
PID:1120 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2472
-
C:\Users\Admin\AppData\Local\Temp\15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\15f52fa392a8b4b15b338aa77842624d_JaffaCakes118.exe -m security1⤵
- Modifies data under HKEY_USERS
PID:3160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD59f7d4b1b8084f3d18e7975638bfcfad8
SHA192256ba34c7ed31735e8bf6b1fbd66fa07302ed1
SHA25671f0574932c7770f68a3e3968dbad0e75d7fad8f4f52fe2541485e9c70febcbb
SHA5124fbb4c1aca5340eaf16c3e95114d2b697966fd4f18d9c1d06c0b13180421863d6e5eaee5f0b23025b66c46da2da7f52a723528b5faf4a9316cd2da6b08bb441a