wannacry | 5ca8b9ac8b109abd234db6368154665e437049bfdc992c3c80618927a85480e9

General

Target

8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll
Size

5.0MB
MD5

8c71fa95241242f37fbb5aacc7bb8b1d
SHA1

ef18845b9b8f0c4ff4d2a3c784651443ba120ab3
SHA256

5ca8b9ac8b109abd234db6368154665e437049bfdc992c3c80618927a85480e9
SHA512

36d34ad3df52cc3911112d5be248d264a204a1b8c01427e98d8d2f698347c5bdc63e1efad1a86a9108bf280762260bcc09542a6093efdbf339b38c467227c754
SSDEEP

24576:zbLgddQhfdmMSirYbcMNgef0QeQjG/D8kI29PO6lt/8uME71NZtA0p+9XEk:znAQqMSPbcBVQej/N9R3RhlAH

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3237) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2260 mssecsvc.exe
2568 mssecsvc.exe
2448 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2260	mssecsvc.exe
2568	mssecsvc.exe
2448	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\5a-7a-5e-ac-ac-3b	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b\WpadDecisionTime = b0ffde7c8bb4da01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0087000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecisionTime = b0ffde7c8bb4da01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\5a-7a-5e-ac-ac-3b	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9E57EC75-B56B-4995-B918-352C2AE90148}\WpadNetworkName = "Network 3"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3024 wrote to memory of 3040	3024	rundll32.exe	rundll32.exe
PID 3024 wrote to memory of 3040	3024	rundll32.exe	rundll32.exe
PID 3024 wrote to memory of 3040	3024	rundll32.exe	rundll32.exe
PID 3024 wrote to memory of 3040	3024	rundll32.exe	rundll32.exe
PID 3024 wrote to memory of 3040	3024	rundll32.exe	rundll32.exe
PID 3024 wrote to memory of 3040	3024	rundll32.exe	rundll32.exe
PID 3024 wrote to memory of 3040	3024	rundll32.exe	rundll32.exe
PID 3040 wrote to memory of 2260	3040	rundll32.exe	mssecsvc.exe
PID 3040 wrote to memory of 2260	3040	rundll32.exe	mssecsvc.exe
PID 3040 wrote to memory of 2260	3040	rundll32.exe	mssecsvc.exe
PID 3040 wrote to memory of 2260	3040	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\8c71fa95241242f37fbb5aacc7bb8b1d_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3040

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2260

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2448

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe
Filesize
3.6MB

MD5
36d3544fcb2a73f026f9ce0b547a390d

SHA1
e96e17e80b062e08f15a61ad5039942139b880f2

SHA256
386e6d2538a6b4d045904bee628f391cd9a26c9fbf781cf454aa50bcb5dd8aa7

SHA512
9818d0edd1cf4c3bc49435aab7af6ec5573051b04d9ee88591bfecb8afbb8e02c134c49611fe9ae9b70e3ddc2bd35652ad5cab34085a19a0eb3f231df6b9cbd9

Download Submit
C:\Windows\tasksche.exe
Filesize
3.4MB

MD5
2e9c41c8c4c8c4862b4bd67341e07f86

SHA1
f3c7993c7602a2a8fa8ecc44550a04ad32db7bbf

SHA256
7f4a7782d398f0aa0be22a622aba1522abfd1892461fd7c07c4e3ab41abe5103

SHA512
2af90a8d8794bd9d923aab8d8948493065a71db4dc51c6ddedc7ed751f85ed7e2134e0f782ef54a96cb9f34fd766b1db214c1695cae75aeba88d92ac02ea53cd

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads