Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-05-2024 19:14
Static task
static1
Behavioral task
behavioral1
Sample
819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exe
Resource
win10v2004-20240426-en
General
-
Target
819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
819bce176cd9633b54748e86f1cde30d
-
SHA1
ef957b1668edb1e6735dd278d3caeebfc22f18ea
-
SHA256
6db4ba167c72ba123533ca868601ee3014b8c25d256fdfa35094ed5c26c89511
-
SHA512
7348d3ff36a2e3df3d5b0d295e0e8f69114fc5d7c992d9c1bde15c2f6aa3b1bb4fcf6e51cfc3278cdc555231ef95dad7ed29861e512ef8f735e9fe7d3a6a3df3
-
SSDEEP
49152:VnjQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAg8E9LE:Z8qPoBhz1aRxcSUDk36SAjrA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3167) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 2024 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat 819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exedescription ioc process File created C:\WINDOWS\tasksche.exe 819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
PID:2352 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2024
-
C:\Users\Admin\AppData\Local\Temp\819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\819bce176cd9633b54748e86f1cde30d_JaffaCakes118.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1584
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\tasksche.exeFilesize
3.4MB
MD55ff7f89428ec9afede61c8dd1168c420
SHA144619fa82a78d80b229ddee4e5420b1107ee0679
SHA25661f8c69f073f72627928f5b7ce24d2611d895de7cde0199d4a1b259c32ccda78
SHA5128647ab8d986ead9b064ae644eb0968ee23fc324b8633c11b5e31758ce6a2ddefffbd5afd3b5d61bd25570ec8e3d6f06ebae12ae6e760830015be32fb52012678