wannacry | daa469ee01ce0c1e71c935b8164be2330755c142883557aa7085ab5cfad45db1

General

Target

181a683c5ce41674aace27b613d9d14d_JaffaCakes118.dll
Size

5.0MB
MD5

181a683c5ce41674aace27b613d9d14d
SHA1

ba09966ab49ddecdb390fadeb63a0d8c58df96e2
SHA256

daa469ee01ce0c1e71c935b8164be2330755c142883557aa7085ab5cfad45db1
SHA512

29aa9be807dcc8ce4303823c58ae18e8810469f1ea06184ad8385452058c7b9d67bc88a8544595785706c47d7c29d2b7b0cf203cabe6cec3819ef585d83f8014
SSDEEP

49152:SnAQqMSPbcBVzx+TSqTdGvxJM0H9PAMEcaEau3R8yAH1plAH:+DqPoB9xcSUYxWa9P593R8yAVp2H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3193) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1616	mssecsvc.exe
2616	mssecsvc.exe
2416	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C858C43-4292-41AA-99F4-32E1CDB91BFF}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C858C43-4292-41AA-99F4-32E1CDB91BFF}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00e6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C858C43-4292-41AA-99F4-32E1CDB91BFF}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C858C43-4292-41AA-99F4-32E1CDB91BFF}\WpadDecisionTime = f022909df89eda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C858C43-4292-41AA-99F4-32E1CDB91BFF}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C858C43-4292-41AA-99F4-32E1CDB91BFF}\66-55-12-58-29-b7	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-55-12-58-29-b7\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-55-12-58-29-b7\WpadDecisionTime = f022909df89eda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-55-12-58-29-b7	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-55-12-58-29-b7\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2276	2188	rundll32.exe	28
PID 2188 wrote to memory of 2276	2188	rundll32.exe	28
PID 2188 wrote to memory of 2276	2188	rundll32.exe	28
PID 2188 wrote to memory of 2276	2188	rundll32.exe	28
PID 2188 wrote to memory of 2276	2188	rundll32.exe	28
PID 2188 wrote to memory of 2276	2188	rundll32.exe	28
PID 2188 wrote to memory of 2276	2188	rundll32.exe	28
PID 2276 wrote to memory of 1616	2276	rundll32.exe	29
PID 2276 wrote to memory of 1616	2276	rundll32.exe	29
PID 2276 wrote to memory of 1616	2276	rundll32.exe	29
PID 2276 wrote to memory of 1616	2276	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\181a683c5ce41674aace27b613d9d14d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\181a683c5ce41674aace27b613d9d14d_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1616
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2416

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
46d0b75f34bcebac87e8253b47554bbf

SHA1
7764a10f576a012dedf2291275bb8d2ace59e6e9

SHA256
ace286e51329bd1d8f7099f3dd5171a0685eb92079de8d866f701a01f6953876

SHA512
10a409eff5cc2f9ac39624440cfd9ab828273995d3b8719daa989e48a3829e50b168282cfc8742b480ecbc6b78c46ecafec5be233c4bdfca318fa53c34360188

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
5ba23a006465b92f4379b923024651bb

SHA1
b99403229ebd94972f5e9dd78b8f91f6b342b92d

SHA256
5c641c9a2ebed6b8fefe7e3daa8ab43076d4b8e7d8f1379115759a285f9ccae9

SHA512
5f7bc0d6b0c0f465af226b867b0b4ab72d84905303b67b3aabbca9cfa7fe7774a99473a00129de6f015ab18c9e5c21259c20640c34507a459ef50695d11cf971

Download Submit

Analysis

Sharing