wannacry | 8a194df66c613bbee35aad257f2e99877417bc162e2db05bd6b05e5db10fe046

General

Target

3324dfb0a132ac79465a5e94549872f7_JaffaCakes118.dll
Size

5.0MB
MD5

3324dfb0a132ac79465a5e94549872f7
SHA1

259e5a0e5d2eead2be8324bf85f9125e1ff2e4fe
SHA256

8a194df66c613bbee35aad257f2e99877417bc162e2db05bd6b05e5db10fe046
SHA512

3388f9b9171b86fefbb275efdcf8e9c2dfdb2c9204a0a72c982fc93166b36937d830d7aaaf282358124ad4d592d05377994b8a35660da9fc968414a33c0f6313
SSDEEP

49152:znAQqMSPbcBVQej/1INRx+TSqTdX1HkQ9xJM0H9PAMEcaEau3R8yAH:TDqPoBhz1aRxcSUDkoxWa9P593R8yA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3170) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2852 mssecsvc.exe
2992 mssecsvc.exe
2672 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2852	mssecsvc.exe
2992	mssecsvc.exe
2672	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{538A1772-9A21-4811-ADC0-CA5DB3AADECE}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{538A1772-9A21-4811-ADC0-CA5DB3AADECE}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{538A1772-9A21-4811-ADC0-CA5DB3AADECE}\WpadDecisionTime = 30205d906aa3da01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{538A1772-9A21-4811-ADC0-CA5DB3AADECE}\ea-15-74-59-24-34	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-15-74-59-24-34\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-15-74-59-24-34\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00ea000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{538A1772-9A21-4811-ADC0-CA5DB3AADECE}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{538A1772-9A21-4811-ADC0-CA5DB3AADECE}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-15-74-59-24-34	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-15-74-59-24-34\WpadDecisionTime = 30205d906aa3da01	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2024 wrote to memory of 2848	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2848	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2848	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2848	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2848	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2848	2024	rundll32.exe	rundll32.exe
PID 2024 wrote to memory of 2848	2024	rundll32.exe	rundll32.exe
PID 2848 wrote to memory of 2852	2848	rundll32.exe	mssecsvc.exe
PID 2848 wrote to memory of 2852	2848	rundll32.exe	mssecsvc.exe
PID 2848 wrote to memory of 2852	2848	rundll32.exe	mssecsvc.exe
PID 2848 wrote to memory of 2852	2848	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3324dfb0a132ac79465a5e94549872f7_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3324dfb0a132ac79465a5e94549872f7_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2848

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2852

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2672

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
d520cf599781ec77c550e53cec818a45

SHA1
d0262d4ad930dd0939d3f9e44ddcba7e0e507bfe

SHA256
c8c0637b4aff71044bc6e3769debdc790e1a0e00c8c2da1882048069f05a33dc

SHA512
3386aa0bf0bd5997cdfd6edb1a90d033ce960a3e64c2b1a8759ddcc012dd737ec336d688b1adbf5d58e39aa7b9a9df9a8ed426da04634022831b437e038b3cca

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
094012c76f0f3f02aef8748609d58410

SHA1
54c6e0df4e8852a0d868b26443ae3b67609b1cfd

SHA256
cb2d302c585496bc9884dec2af98f363fa59c3bd87ad26edd649b2a04d1c6ee1

SHA512
780a3173004fe063d6f1ce30dc620faec32f8048ec32db78adf9c4af4b72238ec84db912f5272a91a1122d066868bb873cb43c816a3fe9d4e0545962067f0bd7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads