wannacry | 4bb313325698fce9584a2c25c2747d8b2e2874c0688236e40f2c4822223a4ed2

General

Target

363d9a90f25c0e433ae694a043a04f3f_JaffaCakes118.dll
Size

5.0MB
MD5

363d9a90f25c0e433ae694a043a04f3f
SHA1

7d466d2cf69edd7a716e16819f28443fd26ec2ff
SHA256

4bb313325698fce9584a2c25c2747d8b2e2874c0688236e40f2c4822223a4ed2
SHA512

7608bf473f785fca543c0f72e470e1dae0c1ffb9ab1a76d5e9623b88bd2b3611a845e16935f4188bba9c03c963a9b05e074d1520dc8afe955b2a1bb12e35fe35
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P5U:TDqPe1Cxcxk3ZAEUadK

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3316) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2300	mssecsvc.exe
2508	mssecsvc.exe
2684	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7\WpadDecisionTime = e071cbf9dba3da01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadDecisionTime = e071cbf9dba3da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\76-4f-3c-78-ce-a7	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadNetworkName = "Network 3"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2304	2240	rundll32.exe	28
PID 2240 wrote to memory of 2304	2240	rundll32.exe	28
PID 2240 wrote to memory of 2304	2240	rundll32.exe	28
PID 2240 wrote to memory of 2304	2240	rundll32.exe	28
PID 2240 wrote to memory of 2304	2240	rundll32.exe	28
PID 2240 wrote to memory of 2304	2240	rundll32.exe	28
PID 2240 wrote to memory of 2304	2240	rundll32.exe	28
PID 2304 wrote to memory of 2300	2304	rundll32.exe	29
PID 2304 wrote to memory of 2300	2304	rundll32.exe	29
PID 2304 wrote to memory of 2300	2304	rundll32.exe	29
PID 2304 wrote to memory of 2300	2304	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\363d9a90f25c0e433ae694a043a04f3f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\363d9a90f25c0e433ae694a043a04f3f_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2304
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2300
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2684

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
2fbc6b56724e1a453c7bfabd873a1ee9

SHA1
6e0b49548fc18e190fc555ce030a5ec178c9f896

SHA256
b48b17e84488bc93b5729322900a510e59e1c96cbae885691f318e3995d7ac39

SHA512
a6d008189eaa67272d9ffb3c5cc4eb48824e4fd465796b677e8edac8bd9932ecdf59f23d20ab582e73daa95c574bf202b6ad85313343b3b93180a9ea4d2f1fea

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
af47d64a9e11078bdf30165dce701869

SHA1
154d2667c3b1e148bd88c4b035d2e6fe0b4379db

SHA256
8018ff86d28d1480507b8fe82888f6dd202554fadf2d00fbf76111c73da1cb87

SHA512
4c0d4252967fc6100ab3dc22b04b967d3ab92f9e77f2c756c6445975f481584804af08e1318cce0e1d2bc601d350e44866746a5df534019c5ca3b565d51fab36

Download Submit

Analysis

Sharing