wannacry | f6167721226b978b2225c31a8d9f94833de9555cf83186fff8970a7c41043fd4

General

Target

9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll
Size

5.0MB
MD5

9fdf1f2ad7cd5225a57c91e333de2f44
SHA1

4651877bfa78921e926e19f655676c6025f4a747
SHA256

f6167721226b978b2225c31a8d9f94833de9555cf83186fff8970a7c41043fd4
SHA512

35c56b13c14ed3159e8bcd72cccb5bfd4c6240448c24338c4c6ac8d2562f551e4d0a15d3a449659463cfb507c28d75422c5d6cc22c263f1d8f1f8c9e960d8ba9
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWi593R8yAVp2H:TDqPe1Cxcxk3ZAEUizR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3313) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2140 mssecsvc.exe
2656 mssecsvc.exe
2784 tasksche.exe
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

pid	process
2140	mssecsvc.exe
2656	mssecsvc.exe
2784	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecisionTime = c0c099bd98bcda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\76-01-0c-0e-65-4b	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecisionTime = c0c099bd98bcda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b\WpadDecision = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AF7CD38-FCE6-449D-BC75-ED24B995B590}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-01-0c-0e-65-4b	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 3020 wrote to memory of 3044	3020	rundll32.exe	rundll32.exe
PID 3020 wrote to memory of 3044	3020	rundll32.exe	rundll32.exe
PID 3020 wrote to memory of 3044	3020	rundll32.exe	rundll32.exe
PID 3020 wrote to memory of 3044	3020	rundll32.exe	rundll32.exe
PID 3020 wrote to memory of 3044	3020	rundll32.exe	rundll32.exe
PID 3020 wrote to memory of 3044	3020	rundll32.exe	rundll32.exe
PID 3020 wrote to memory of 3044	3020	rundll32.exe	rundll32.exe
PID 3044 wrote to memory of 2140	3044	rundll32.exe	mssecsvc.exe
PID 3044 wrote to memory of 2140	3044	rundll32.exe	mssecsvc.exe
PID 3044 wrote to memory of 2140	3044	rundll32.exe	mssecsvc.exe
PID 3044 wrote to memory of 2140	3044	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3020

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\9fdf1f2ad7cd5225a57c91e333de2f44_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3044

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2140

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2784

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
39ba95f0b586a2ef517bb30c2c4a54db

SHA1
9ab4814d46a4423a560db516ecceaebe651ffa8b

SHA256
3ba8288b842ff843cc7e4070614a8fa505e1ef9a1665bc8927e54b4dd5fd012c

SHA512
9f335276ed609c0d406bc7d5ef1a59f8bb8ca352465d67747b4fa7ff7a188f5555323e5ce3d30833a3919e6fd86219d64a6ccbc955cd269fb953c02f7a77b29d

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
9ec7a921022993aaabd0f0937f5194da

SHA1
53db809fedaa756916df059b8c73b48ae76d2ce6

SHA256
967658e37edaa8aea880275da688ede7dc01b65bd83ae06e313d673c0066bed7

SHA512
497da606fadf43aadbf581cff77342c57c1dc7139814e122da842fa579c3b5ac41768b4e345f9d676c706ea16faf42f3cbb86354f792b238e29837b15103b308

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads