Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 12:11
Static task
static1
Behavioral task
behavioral1
Sample
633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
633e28e3ca41fa61f18348c02d59d8e8
-
SHA1
d0941932099bdf0fe154fd296ca677c47d1bd209
-
SHA256
bfbec5d1fc71359963ded42f54ba402ce9abe56a4c1a377b5f3f3a474796d2a8
-
SHA512
acbcdad7bc9eac7f5f82a3c500e89b8e347bca94fab1fcaa727c02d1f9da715f8aba41797fd855b8c644a27e785fe50ac62cd4630b81ea9460322d6210092b6e
-
SSDEEP
49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9PAME:XDqPoBhz1aRxcSUDk36SAEdhvxWa9P5
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3374) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 4984 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exedescription ioc process File created C:\WINDOWS\tasksche.exe 633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ 633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" 633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" 633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
PID:3228 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:4984
-
C:\Users\Admin\AppData\Local\Temp\633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\633e28e3ca41fa61f18348c02d59d8e8_JaffaCakes118.exe -m security1⤵
- Modifies data under HKEY_USERS
PID:1440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD5121c8f49acc089afc250a81c4c788c1e
SHA1efc0bd2c0aacaa8d143f0f85cffd0f595f0ea5ec
SHA256f6c62138bae3802a72e670a4eed8da129c2021a6a25b8d8b6339a14ebf4593f6
SHA512c1d49584f6fb86288e584d1c000dc39eebebd20fc7f73e51c01d06f8998c1d9b63df57ea600ddd05d35c8e3b7569042a258f5f1f9c9c1adadbfe8d8678d36fe0