Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 09:58
Static task
static1
Behavioral task
behavioral1
Sample
5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
5e781fefc86fa5f2fd4b3ae7c91580fe
-
SHA1
48a157453a05a5111aca1080d5c81f0f02f3ad24
-
SHA256
d33e350be030e5d3c3d8b060feffe359126dcc94a30d40b44ef2111f553f394b
-
SHA512
e5af4a0be12c466a62ddf379130e6dd062f6cfc3a0ae0119e84abab57674cbafc86a4988f93643edad5bf8d0036f0bb3fb7c62320b7bcd35f6fdf51d4e93d718
-
SSDEEP
49152:XnAQqMSPbcBVQej/1rRdhnvxJM0H9PAMEcaEau3R8yAH1plAHI:XDqPoBhz1FdhvxWa9P593R8yAVp2HI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3296) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 3404 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exedescription ioc process File created C:\WINDOWS\tasksche.exe 5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
PID:1872 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:3404
-
C:\Users\Admin\AppData\Local\Temp\5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\5e781fefc86fa5f2fd4b3ae7c91580fe_JaffaCakes118.exe -m security1⤵
- Modifies data under HKEY_USERS
PID:3064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD564d1f7a14710ab97ea85b4e525dac6b0
SHA188d9102d09edb618769f5a2cccc655078a05ff8a
SHA256ef24f43e20a1c94cfc6d952f8e85378ac58e68f9128cc668d3ea73dd449c1da4
SHA512bcf0451f198bfe38328869b589b10800052916566cf2175c3d70deb3d26af27f50822e7f7554d02debcd6bb599768f40d17c87d4959b9ccfa16c33f1808a6d19