Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
ac537ffb911bf00bcbbe08ef0d197618
-
SHA1
8e8be8184ad024cb6c5f61d7d69bf6a4b74eb0be
-
SHA256
bd5b6ffd91e3310ee4d0a22c00361c8dc3057995ca46ebeff8b82a673646323f
-
SHA512
72486360e50aed13fb995848b90af5593e4fcc0ba09cdf40f28d8dc965d925b05d1d19adab23173a2affe30b75450dab3fd689a0c34d8dd738040c7764147e6f
-
SSDEEP
98304:ZdPoBL1aRxcSUDk36SAEdhvxWa9P593R8:ZdPg1Cxcxk3ZAEUadzR8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3282) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 2160 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exedescription ioc process File created C:\WINDOWS\tasksche.exe ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2688 2160 WerFault.exe tasksche.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exetasksche.exedescription pid process target process PID 1700 wrote to memory of 2160 1700 ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe tasksche.exe PID 1700 wrote to memory of 2160 1700 ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe tasksche.exe PID 1700 wrote to memory of 2160 1700 ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe tasksche.exe PID 1700 wrote to memory of 2160 1700 ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe tasksche.exe PID 2160 wrote to memory of 2688 2160 tasksche.exe WerFault.exe PID 2160 wrote to memory of 2688 2160 tasksche.exe WerFault.exe PID 2160 wrote to memory of 2688 2160 tasksche.exe WerFault.exe PID 2160 wrote to memory of 2688 2160 tasksche.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 363⤵
- Program crash
PID:2688
-
C:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5a8c73a47be650986b82913698cae202e
SHA12e54c7dc560751ea9eee2a96295f03992e7d7c65
SHA2566b8ac7b7c7bc93edf4ed6a96bdcdbb372b1e873c16be0f8df2bf2eb8009210a4
SHA5129290e7220bedefaaf6f135f7f2bd402802c3975d357acd94c3697ed2b96dc4eeeb30d391630aa4d541ea2eed13a027fc28f2e3dfba201c8338024d4e5f867d05