Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 08:51
Static task
static1
Behavioral task
behavioral1
Sample
a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
a8d171d612fecdd8c37170d839e99718
-
SHA1
3399123ce30203c83b1aae3f4bb474ab6581effb
-
SHA256
d725d718d3da4e96b78c5b1cdfa78c7216b9da09a86e2cfeb1db999fa7fdb15c
-
SHA512
b19487e74b1eb12bc3152396d692d51d23b031769d295bc2f573bacee99dd1020d13338df1a7d3144a49545d6933b517114875efe15ac13bb0dc683ac28badbe
-
SSDEEP
49152:XnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SA:XDqPoBhz1aRxcSUDk36SA
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2685) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1592 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exedescription ioc process File created C:\WINDOWS\tasksche.exe a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
PID:2372 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:1592
-
C:\Users\Admin\AppData\Local\Temp\a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\a8d171d612fecdd8c37170d839e99718_JaffaCakes118.exe -m security1⤵
- Modifies data under HKEY_USERS
PID:1336
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD539f3bd9b3228bef7dde5b287a0a3e852
SHA1d93a73f21e3a465617239d092fa1e15b0341c20a
SHA2568f9245d26ffa7f87411575a8e60f021691e1a1fbe6ea584f685d365276995baf
SHA512e91383329848abd8d4470ae5454fad12bca7fb5eab217254e8863036686e18b6d389f2bb3c6f5ca7a2f3a52e951440b4c0eca18b3bf6ccd78e5a545dc1b4804d