Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
ac537ffb911bf00bcbbe08ef0d197618
-
SHA1
8e8be8184ad024cb6c5f61d7d69bf6a4b74eb0be
-
SHA256
bd5b6ffd91e3310ee4d0a22c00361c8dc3057995ca46ebeff8b82a673646323f
-
SHA512
72486360e50aed13fb995848b90af5593e4fcc0ba09cdf40f28d8dc965d925b05d1d19adab23173a2affe30b75450dab3fd689a0c34d8dd738040c7764147e6f
-
SSDEEP
98304:ZdPoBL1aRxcSUDk36SAEdhvxWa9P593R8:ZdPg1Cxcxk3ZAEUadzR8
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3242) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 1256 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exedescription ioc process File created C:\WINDOWS\tasksche.exe ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe -
Program crash 2 IoCs
Processes:
WerFault.exeWerFault.exepid pid_target process target process 1464 1256 WerFault.exe tasksche.exe 4540 1256 WerFault.exe tasksche.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exedescription pid process target process PID 2440 wrote to memory of 1256 2440 ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe tasksche.exe PID 2440 wrote to memory of 1256 2440 ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe tasksche.exe PID 2440 wrote to memory of 1256 2440 ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe tasksche.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 2203⤵
- Program crash
PID:1464 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1256 -s 2243⤵
- Program crash
PID:4540
-
C:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ac537ffb911bf00bcbbe08ef0d197618_JaffaCakes118.exe -m security1⤵PID:968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1256 -ip 12561⤵PID:1096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1256 -ip 12561⤵PID:4424
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5a8c73a47be650986b82913698cae202e
SHA12e54c7dc560751ea9eee2a96295f03992e7d7c65
SHA2566b8ac7b7c7bc93edf4ed6a96bdcdbb372b1e873c16be0f8df2bf2eb8009210a4
SHA5129290e7220bedefaaf6f135f7f2bd402802c3975d357acd94c3697ed2b96dc4eeeb30d391630aa4d541ea2eed13a027fc28f2e3dfba201c8338024d4e5f867d05