Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 17:18

General

  • Target

    e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe

  • Size

    3.6MB

  • MD5

    e0a7b82f291e40469a9ebd046ef65a1c

  • SHA1

    ecdb4f1d9fdf14362993ee2c2bad74cf23e51f32

  • SHA256

    34c8d6cdbde0cda9286ccdacef9a3f742fb4b75a18b41f62d3f7025cf46f9a66

  • SHA512

    81e64bd4c98989b11963514bbd9386339f28df4685c340d54f26c150008eb8f3c3f36a0a5a1846bc07854fa3ca722e9def4dd6f41cbe005faa1d56bd438f1349

  • SSDEEP

    98304:XDqPoBhPxcSUDk36SAEdhvxWa9P593R8yAVp2HI:XDqPmxcxk3ZAEUadzR8yc4HI

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

  • Contacts a large (3285) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Executes dropped EXE 1 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2944
    • C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      2⤵
      • Executes dropped EXE
      PID:2296
  • C:\Users\Admin\AppData\Local\Temp\e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe -m security
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Modifies data under HKEY_USERS
    PID:1916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\tasksche.exe

    Filesize

    3.4MB

    MD5

    b565bb7103736c6ac690b7e5203648d4

    SHA1

    7e17b32808e4c321ce4de6539e13a0af31938650

    SHA256

    ead0d29f07b0a1c1c7aba30eb2ba666d7b79603e33c1eb1cace81e88dda8f493

    SHA512

    cbd5cc16ca6985fa263195cda3857f5feec4940a84bebbb889bda4e00d4d64f46881e9895789717e92e0e2621c4f46336c24749863dac5de821f3ea135faeee6