Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 17:18
Static task
static1
Behavioral task
behavioral1
Sample
e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe
-
Size
3.6MB
-
MD5
e0a7b82f291e40469a9ebd046ef65a1c
-
SHA1
ecdb4f1d9fdf14362993ee2c2bad74cf23e51f32
-
SHA256
34c8d6cdbde0cda9286ccdacef9a3f742fb4b75a18b41f62d3f7025cf46f9a66
-
SHA512
81e64bd4c98989b11963514bbd9386339f28df4685c340d54f26c150008eb8f3c3f36a0a5a1846bc07854fa3ca722e9def4dd6f41cbe005faa1d56bd438f1349
-
SSDEEP
98304:XDqPoBhPxcSUDk36SAEdhvxWa9P593R8yAVp2HI:XDqPmxcxk3ZAEUadzR8yc4HI
Malware Config
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Contacts a large (3285) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Executes dropped EXE 1 IoCs
pid Process 2296 tasksche.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\WINDOWS\tasksche.exe e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe -
Modifies data under HKEY_USERS 24 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cb-ae-0f-6b-d7\WpadDecisionReason = "1" e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cb-ae-0f-6b-d7\WpadDecisionTime = 00818b27ca06db01 e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE086C78-767A-4CFD-B262-ADE8BDF94FAF}\WpadDecision = "0" e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cb-ae-0f-6b-d7 e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE086C78-767A-4CFD-B262-ADE8BDF94FAF}\WpadDecisionTime = 00818b27ca06db01 e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE086C78-767A-4CFD-B262-ADE8BDF94FAF}\WpadNetworkName = "Network 3" e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE086C78-767A-4CFD-B262-ADE8BDF94FAF}\02-cb-ae-0f-6b-d7 e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-cb-ae-0f-6b-d7\WpadDecision = "0" e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE086C78-767A-4CFD-B262-ADE8BDF94FAF} e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0198000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{EE086C78-767A-4CFD-B262-ADE8BDF94FAF}\WpadDecisionReason = "1" e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2944 -
C:\WINDOWS\tasksche.exeC:\WINDOWS\tasksche.exe /i2⤵
- Executes dropped EXE
PID:2296
-
-
C:\Users\Admin\AppData\Local\Temp\e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\e0a7b82f291e40469a9ebd046ef65a1c_JaffaCakes118.exe -m security1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:1916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.4MB
MD5b565bb7103736c6ac690b7e5203648d4
SHA17e17b32808e4c321ce4de6539e13a0af31938650
SHA256ead0d29f07b0a1c1c7aba30eb2ba666d7b79603e33c1eb1cace81e88dda8f493
SHA512cbd5cc16ca6985fa263195cda3857f5feec4940a84bebbb889bda4e00d4d64f46881e9895789717e92e0e2621c4f46336c24749863dac5de821f3ea135faeee6