wannacry | b82a3bf3316df0fbd083b79291eebc6774ad6fd95cd8ce3852ab7800df0e019a

General

Target

60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll
Size

5.0MB
MD5

60dff2345008f59be49d93a84a0e0b9d
SHA1

0da7ed476a6ebb6f8191958c3368f06a65ec28d9
SHA256

b82a3bf3316df0fbd083b79291eebc6774ad6fd95cd8ce3852ab7800df0e019a
SHA512

6112d4963d009b9af83325a2f0f388b82a4fc462750885ee6c5e536cc493471d2bda10e1dc730e2df2ae823362cb7f0218457336472e5dbcbb4d63a2984b0d85
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhNREroVeiC9avc:+DqPoBhz1aRxcSUDk36SAEdhFeP

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3194) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
3004	mssecsvc.exe
3048	mssecsvc.exe
2724	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0099000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecisionTime = 80666677f5aada01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\32-ee-0b-4f-68-e6	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-ee-0b-4f-68-e6\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadDecisionTime = 80666677f5aada01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{66AAA448-8751-48C8-A475-36AD1E9C25A6}\WpadDecision = "0"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2852	2968	rundll32.exe	28
PID 2968 wrote to memory of 2852	2968	rundll32.exe	28
PID 2968 wrote to memory of 2852	2968	rundll32.exe	28
PID 2968 wrote to memory of 2852	2968	rundll32.exe	28
PID 2968 wrote to memory of 2852	2968	rundll32.exe	28
PID 2968 wrote to memory of 2852	2968	rundll32.exe	28
PID 2968 wrote to memory of 2852	2968	rundll32.exe	28
PID 2852 wrote to memory of 3004	2852	rundll32.exe	29
PID 2852 wrote to memory of 3004	2852	rundll32.exe	29
PID 2852 wrote to memory of 3004	2852	rundll32.exe	29
PID 2852 wrote to memory of 3004	2852	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\60dff2345008f59be49d93a84a0e0b9d_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3004
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2724

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
3c82571e0ab3aa17efb8fce3fef5df7d

SHA1
e1e9b4bfb2fd00cd960b6c149dd2ecb07c995ed9

SHA256
c62bacc4507bb21fbfcfb0024ba471706906f65d2f5178699ac2d8da0de74e89

SHA512
dbc407336536126159e8e66dc9d04f1c823fd0c423fd8d16ff1b4dad2ed0b4ba7e13d555f26e1d2c3b040dd0e6448f065c52ce32be81bc3841a0f5b8cbb3307d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
ae1a32d6d3cc75900702d74bebc95cc1

SHA1
fcc6d144365307cbc01ddbd5680aafb33bb43884

SHA256
c1b64c007a33c22b52488c11224d8b170cdfbe67fe2741c76bd272ae15a90e4d

SHA512
8face209838ecf9ae0bd896690d2313ff608355879fdd425f0aa336a9731c361380b0f6a0adc787ee81f8f52a414c2c23197d3461ac9a457ea9614df287bc4f9

Download Submit

Analysis

Sharing