Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 04:30
Static task
static1
Behavioral task
behavioral1
Sample
ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
ddad1a6c633749c303e38f23bc973209
-
SHA1
90314f35657f69c2c4dc1423d588feae98a15f35
-
SHA256
5c202375f59f9f0329ff24275c699b7cd55253ceec0f81e63892f1a835d783fe
-
SHA512
e64a03d6ca1c09b4a823c02be2989fc03a850704c2f8eae50265eaaefa441bfc992253ad5dd78be5b528893f8b01435a11a012dcedf9d4c2a14302fa2e46c4cc
-
SSDEEP
49152:2nAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H9P:yDqPoBhz1aRxcSUDk36SAEdhvxWa9P
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3252) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 4156 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3816 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:4156
-
-
C:\Users\Admin\AppData\Local\Temp\ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\ddad1a6c633749c303e38f23bc973209_JaffaCakes118.exe -m security1⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5a64db71318b6bd3062f884fb312f7fc6
SHA1edd7f6695fab29bf189a3c534ec2531556ee08b1
SHA25648c7250b7afa87772e16cad39a0f32c81711d104dadedd5be849220a1045a808
SHA512ff551f9741190dd31c58d2b55092289f726fe0b29cab0094b537ec0e5ae484bb89250e5ccf4c171350bab9c106dccd5fa00316a86b2f6babfffcc9c85b73e62b