Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
19-05-2024 19:17
Static task
static1
Behavioral task
behavioral1
Sample
5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
5b06b90c8f176f10c43cab56c7655103
-
SHA1
f80d625a23a42781c540ae64e2aa27ab20bbe5de
-
SHA256
52e35751cedb7e980197ac0e2a8759d3292e45b2e800443cf5d9b0b96ececd9b
-
SHA512
8fdee1742d46eca6f8683811f4e447ecc314f74363ba0e4629975c3ad0b4e01daab2df9f16ddf7cde8f2a712d735a276f0dc4077bc148cef476b3f1b94bb65ea
-
SSDEEP
98304:yDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2J:yDqPe1Cxcxk3ZAEUadzR8yc4J
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3320) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1172 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exedescription ioc process File created C:\WINDOWS\tasksche.exe 5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
PID:2484 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:1172
-
C:\Users\Admin\AppData\Local\Temp\5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\5b06b90c8f176f10c43cab56c7655103_JaffaCakes118.exe -m security1⤵
- Modifies data under HKEY_USERS
PID:5012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD538bf964535a0eae632c4e376277a9e44
SHA13367d46ff2b588cf3e9d80804e67ffb4f21d63f5
SHA256898a50905dc18c71006943e4eebdc06272d9479f414b34c945a0e5457a2a1a1e
SHA5123d8511b7e8b76a736edbe0a4308e0ead45425da89e33f550538e9f57c78c7178e444198798103d997a0c418483e8546d3830af49fc18f743e5d4e43615c65266