wannacry | b135b00a2fe9760f67568a7d7042448131cfb1d68d0623da3e63d08639acc8d7

General

Target

2f0c3e5447dda6358a9aed014419101f_JaffaCakes118.dll
Size

5.0MB
MD5

2f0c3e5447dda6358a9aed014419101f
SHA1

731d4f6869ab6911325f06dea14792a1b110e65b
SHA256

b135b00a2fe9760f67568a7d7042448131cfb1d68d0623da3e63d08639acc8d7
SHA512

de878ab90c071f57fa79d8e7f4d818007b7cb5012b6884104dd40e236d697806034048a284c4b29f01706f5a289d9de90ef276ce236c1f7313330c6c963c28cc
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593:TDqPe1Cxcxk3ZAEUadz

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3310) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2844	mssecsvc.exe
1564	mssecsvc.exe
2812	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionTime = a05192ddd3a2da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\6a-4f-8d-4b-10-6b	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionTime = a05192ddd3a2da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D75FC59A-6236-4B08-8390-60468DF3EDBE}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\6a-4f-8d-4b-10-6b\WpadDecisionReason = "1"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2836	2684	rundll32.exe	28
PID 2684 wrote to memory of 2836	2684	rundll32.exe	28
PID 2684 wrote to memory of 2836	2684	rundll32.exe	28
PID 2684 wrote to memory of 2836	2684	rundll32.exe	28
PID 2684 wrote to memory of 2836	2684	rundll32.exe	28
PID 2684 wrote to memory of 2836	2684	rundll32.exe	28
PID 2684 wrote to memory of 2836	2684	rundll32.exe	28
PID 2836 wrote to memory of 2844	2836	rundll32.exe	29
PID 2836 wrote to memory of 2844	2836	rundll32.exe	29
PID 2836 wrote to memory of 2844	2836	rundll32.exe	29
PID 2836 wrote to memory of 2844	2836	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f0c3e5447dda6358a9aed014419101f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\2f0c3e5447dda6358a9aed014419101f_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2844
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2812

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ab4a6a12d1cf1fa709169bc8ba745ec3

SHA1
31d613941c3c423f84b0f4a42b5d9dceff48de80

SHA256
1d38146bb62ba9cd712e2e2b1270c3aa8b9b058e47ca5ea2676180bece29720d

SHA512
52f04f11024c342a26d387399f952d0a48806696fe48907c7a5e1382ebe5a06853f04238fff10e6533578df1d1c4a28d369d3cf273e3c392ca87ca32b224629a

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
51a89ab5f525c835119150ccf1941d63

SHA1
750308a2b4de02c48a8011e79831da0a0d8220ac

SHA256
fccecb609c53bf496d6ea5ce5a0b71ac8b44cd79d18542f34c3c2e9ff373c52d

SHA512
ef510528aef360c79bfd1965a124c8b33bae15103e6aed4b8971005a99994fcb341f4c3b291c4580e7895171afdf3255f4a54094dfcd468cc3b8a9d34dc0fd75

Download Submit

Analysis

Sharing