Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
15-06-2024 11:08
Static task
static1
Behavioral task
behavioral1
Sample
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
ae21b6f5956755d9f9ac2fbc72ced294
-
SHA1
5ec07870be0a5c3fe1940464d8710f44f75141ee
-
SHA256
230858b67d4a306017342b47310c447d9eb5a02e6284b39b3603ab31b7a65966
-
SHA512
eb90d26a1e29d5b12bac54a09c47f630b29ec39d66b14f1fe5e191453be4fcd9e438e6b7a1b1e3378a28a1b4d7f6ff6489acfcc3c0a1cbb7cfeee456a0090b97
-
SSDEEP
49152:2nAQqMyoueyYXIUeUNPLiD0iC7L1JXTXeVAMgBt3:yDq6TD31Nhj3
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (2699) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
Processes:
tasksche.exepid process 2072 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
Processes:
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exedescription ioc process File created C:\WINDOWS\tasksche.exe ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
PID:968 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2072
-
C:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ae21b6f5956755d9f9ac2fbc72ced294_JaffaCakes118.exe -m security1⤵
- Modifies data under HKEY_USERS
PID:1088
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD546685152460e8e36f651662b907c1f38
SHA1ece550eb7c419fda0b990b4c7fdb851af37e6479
SHA2561b55ca664559e0aeb8fd1a40a3edfccd2a93a1d2edbf31cbeeb9a8d5b00f20da
SHA512ca935d204afb041d392aef91ee1f5cf481b005c4e7dc6a6accbb2db7a61183e017d3f870641ca74c769dc2467f065e57eb7ed534cabde0d5c0b6863b25ffb441