wannacry | 72b2b788e40b68c5ea70cf429de6acb1ad291fa5944836ff35648a29f8e40ec6

General

Target

717248d46d244e2ebf745fd204b86b61_JaffaCakes118.dll
Size

5.0MB
MD5

717248d46d244e2ebf745fd204b86b61
SHA1

4ebf72436f13f0e2e91d2b0f46d42190cdf46dca
SHA256

72b2b788e40b68c5ea70cf429de6acb1ad291fa5944836ff35648a29f8e40ec6
SHA512

e7a9f3ccdfbe38d03f96476b90018d6f7383764eba44ede40f485259a62d7ab9c058112dfd68e5cd676636596a7575891577a23a191c596aa5391333f8cf6b92
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAA:+DqPoBhz1aRxcSUDk36SA

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3228) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2888	mssecsvc.exe
2604	mssecsvc.exe
2536	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0063000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1CD6F84-3CFB-49EC-979E-717C6600C9B7}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1CD6F84-3CFB-49EC-979E-717C6600C9B7}\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-58-a8-72-07-57\WpadDecisionTime = 300222d280aeda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1CD6F84-3CFB-49EC-979E-717C6600C9B7}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1CD6F84-3CFB-49EC-979E-717C6600C9B7}\WpadDecisionTime = 300222d280aeda01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1CD6F84-3CFB-49EC-979E-717C6600C9B7}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{A1CD6F84-3CFB-49EC-979E-717C6600C9B7}\3a-58-a8-72-07-57	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-58-a8-72-07-57\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-58-a8-72-07-57\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\3a-58-a8-72-07-57	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2012	1732	rundll32.exe	28
PID 1732 wrote to memory of 2012	1732	rundll32.exe	28
PID 1732 wrote to memory of 2012	1732	rundll32.exe	28
PID 1732 wrote to memory of 2012	1732	rundll32.exe	28
PID 1732 wrote to memory of 2012	1732	rundll32.exe	28
PID 1732 wrote to memory of 2012	1732	rundll32.exe	28
PID 1732 wrote to memory of 2012	1732	rundll32.exe	28
PID 2012 wrote to memory of 2888	2012	rundll32.exe	29
PID 2012 wrote to memory of 2888	2012	rundll32.exe	29
PID 2012 wrote to memory of 2888	2012	rundll32.exe	29
PID 2012 wrote to memory of 2888	2012	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\717248d46d244e2ebf745fd204b86b61_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\717248d46d244e2ebf745fd204b86b61_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2888
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2536

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
897ca0b501bf5b8df54c656acf6c9bcf

SHA1
2018fc805cf6affc4cab760647c721765558c833

SHA256
d11a71c96aca03a2cc7fe0ad81b7233621149d50575002e152dee2a89274c6b6

SHA512
b4a57fd29c1a33b21dde50defd7fffb95021d84cb0557680602bf155b2d48edf88925aa4aa24ea62adfbfdebcb7819b254c8a56b819f1cf8eb3c265250b8432b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
a58747ac2efc0bb240802a949408edfe

SHA1
3df64545a5323af04b49e833eefc480818f6d8c8

SHA256
f1a9f1a237c087e10594a8d1fff87c05849fa2b73571f71012ee35317ba8b7c3

SHA512
b6218892aaa65bf8ed86be5603735b0e197c838af25daf71951c4c890ec8567d174af719ded71c6c6f164310388873fd24aaa3c140a44e56bd54b8be65931715

Download Submit

Analysis

Sharing