Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
15-06-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
ae21b6f5956755d9f9ac2fbc72ced294
-
SHA1
5ec07870be0a5c3fe1940464d8710f44f75141ee
-
SHA256
230858b67d4a306017342b47310c447d9eb5a02e6284b39b3603ab31b7a65966
-
SHA512
eb90d26a1e29d5b12bac54a09c47f630b29ec39d66b14f1fe5e191453be4fcd9e438e6b7a1b1e3378a28a1b4d7f6ff6489acfcc3c0a1cbb7cfeee456a0090b97
-
SSDEEP
49152:2nAQqMyoueyYXIUeUNPLiD0iC7L1JXTXeVAMgBt3:yDq6TD31Nhj3
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3217) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 2656 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
Processes:
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exedescription ioc process File created C:\WINDOWS\tasksche.exe ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe -
Modifies data under HKEY_USERS 24 IoCs
Processes:
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BA003D-A9F7-472B-82E3-06DD2B7249DC}\WpadDecisionReason = "1" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BA003D-A9F7-472B-82E3-06DD2B7249DC}\WpadDecisionTime = d0b1394e14bfda01 ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BA003D-A9F7-472B-82E3-06DD2B7249DC}\f2-97-e0-67-79-c3 ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-97-e0-67-79-c3\WpadDecisionReason = "1" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BA003D-A9F7-472B-82E3-06DD2B7249DC} ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BA003D-A9F7-472B-82E3-06DD2B7249DC}\WpadNetworkName = "Network 3" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-97-e0-67-79-c3\WpadDecision = "0" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F6BA003D-A9F7-472B-82E3-06DD2B7249DC}\WpadDecision = "0" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-97-e0-67-79-c3 ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\f2-97-e0-67-79-c3\WpadDecisionTime = d0b1394e14bfda01 ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
PID:2016 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2656
-
C:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe -m security1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2988
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD546685152460e8e36f651662b907c1f38
SHA1ece550eb7c419fda0b990b4c7fdb851af37e6479
SHA2561b55ca664559e0aeb8fd1a40a3edfccd2a93a1d2edbf31cbeeb9a8d5b00f20da
SHA512ca935d204afb041d392aef91ee1f5cf481b005c4e7dc6a6accbb2db7a61183e017d3f870641ca74c769dc2467f065e57eb7ed534cabde0d5c0b6863b25ffb441