wannacry | db3fc98ce1e5cdcdccbf9a38ef80cbe981c6d4a1db8582f51af5c0e70e0cd412

General

Target

285de344496b980a31918cad9a86f137_JaffaCakes118.dll
Size

5.0MB
MD5

285de344496b980a31918cad9a86f137
SHA1

adab4a24cb035dbaf13893d5add1c3fe5c239ec9
SHA256

db3fc98ce1e5cdcdccbf9a38ef80cbe981c6d4a1db8582f51af5c0e70e0cd412
SHA512

95c4d44d7a181037916f4de6654a42bf8c8e3c3785982ad63b351d527a47ab6958be5e77d5ad9b0c019111767856fd7142a44249ce0e1af62bc576d2afe99dc7
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9a3R8yAVp2H:+DqPe1Cxcxk3ZAEUaKR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3313) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

1704 mssecsvc.exe
3004 mssecsvc.exe
2764 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
1704	mssecsvc.exe
3004	mssecsvc.exe
2764	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa\WpadDecisionTime = 0028ac5ecca1da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-1a-fd-5a-f5-aa\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadDecisionTime = 0028ac5ecca1da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{AACA6ADA-B99B-4F86-BC86-AAD31733345E}\ee-1a-fd-5a-f5-aa	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 1740 wrote to memory of 1744	1740	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1744	1740	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1744	1740	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1744	1740	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1744	1740	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1744	1740	rundll32.exe	rundll32.exe
PID 1740 wrote to memory of 1744	1740	rundll32.exe	rundll32.exe
PID 1744 wrote to memory of 1704	1744	rundll32.exe	mssecsvc.exe
PID 1744 wrote to memory of 1704	1744	rundll32.exe	mssecsvc.exe
PID 1744 wrote to memory of 1704	1744	rundll32.exe	mssecsvc.exe
PID 1744 wrote to memory of 1704	1744	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\285de344496b980a31918cad9a86f137_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\285de344496b980a31918cad9a86f137_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1744

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1704

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2764

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
cab3a0f4bffc2c1633161801fc460c88

SHA1
3a29eb71f099baee4df40f1dcbb22d295a7a1c4d

SHA256
a0c4e2f12e757b99bfcdf32d5565ac6565cad192e928039e099ea3c449163b8c

SHA512
f1c44a53d6451dde40d10cf9e57c0eb20b067dc692994ef805d3b91784b71eda108afda5c39670ca6d7057adf8124020d6329bf1570c5dd0a37394c40ea0ced5

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
d987c9e070a2d68dc4600bd2dba8cd73

SHA1
045958fd381435430ac74e9f8e5a1d2ab0eefa96

SHA256
50444f56abf32a732beeb910f2851cf74551317f2435ed87c15432d551952c0d

SHA512
c7e9637b70a36d053c68ddff15e478f3d12b7eb7bccb703986f91a26b0cabb70ed1ba27a553886e8d9e998ec98be55ad73f2ac97c92c745e633b7b0530d9c9cb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads