wannacry | 4ed2422034a1b74cb728920571ae0fe52109863368be4de517263f74a21f5d8b

General

Target

5c2cb2ac661a725bde2b353f2406838c_JaffaCakes118.dll
Size

5.0MB
MD5

5c2cb2ac661a725bde2b353f2406838c
SHA1

98379ddd309db80a3486affda219f674a4f1c539
SHA256

4ed2422034a1b74cb728920571ae0fe52109863368be4de517263f74a21f5d8b
SHA512

19f0ecbdbaed1f12f0254462dfdf28ffa8e12173de86cd2a01dc6b6da99a144ef734a103248e58f53df7837d5275f939225c09923b3bcf4bd7a490dcd3aa0214
SSDEEP

49152:znAQqMSPbcBVQpEj/1INRx+TSqTdX1HkQo6SAA:TDqPoBlz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3312) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1848	mssecsvc.exe
2128	mssecsvc.exe
2992	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}\WpadDecisionTime = 0064b52049aada01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-5e-aa-1d-91-fd\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0096000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-5e-aa-1d-91-fd	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{1E32F756-9171-4B79-A0C4-3FDE422D6207}\66-5e-aa-1d-91-fd	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-5e-aa-1d-91-fd\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\66-5e-aa-1d-91-fd\WpadDecisionTime = 0064b52049aada01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2260	2840	rundll32.exe	28
PID 2840 wrote to memory of 2260	2840	rundll32.exe	28
PID 2840 wrote to memory of 2260	2840	rundll32.exe	28
PID 2840 wrote to memory of 2260	2840	rundll32.exe	28
PID 2840 wrote to memory of 2260	2840	rundll32.exe	28
PID 2840 wrote to memory of 2260	2840	rundll32.exe	28
PID 2840 wrote to memory of 2260	2840	rundll32.exe	28
PID 2260 wrote to memory of 1848	2260	rundll32.exe	29
PID 2260 wrote to memory of 1848	2260	rundll32.exe	29
PID 2260 wrote to memory of 1848	2260	rundll32.exe	29
PID 2260 wrote to memory of 1848	2260	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c2cb2ac661a725bde2b353f2406838c_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\5c2cb2ac661a725bde2b353f2406838c_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1848
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2992

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
915f59c8e91eb616c221297924124d75

SHA1
f58808aada2bf6b8f46f75c40ae75b186b43ab68

SHA256
69e1de2bad3240b793611288b643c943b1cf739cce9a7606608b081e95d9cc49

SHA512
621ed69fb01a721ee16187c14216ea9bce4130a62aee9ecae86e7c38ec683824bca8995e311dca86048fdb72f4a8ebed23dc5bc8e786681fe368877bc80c3683

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
049324889108aa745285a14388c042aa

SHA1
37d16374cd1832e843627894f958f1907b17dc98

SHA256
b9d86611783d6d5312869a3ebe37abe645a64edb744b25a94b353b1024e9ef0a

SHA512
6b3dbf9551ebc874a51e623774626ab40241b9264b1b328e3fa00c9107dd0914d9127a7218eb8a051dd072206636e708def70245b462a0cdaad50ed64534b00a

Download Submit

Analysis

Sharing