wannacry | b2e147ea73d954d6938434c8f4e3fb68a3eac21d1770e39102f0c21cebb9acbf

General

Target

a725bf924d21fc981dd173fa66bca35f_JaffaCakes118.dll
Size

5.0MB
MD5

a725bf924d21fc981dd173fa66bca35f
SHA1

c8b034345bbfca6981c3932388a245218cca3d9f
SHA256

b2e147ea73d954d6938434c8f4e3fb68a3eac21d1770e39102f0c21cebb9acbf
SHA512

80b4d0ac7aa24c1a6abc904f7feb46f772e6d0c5307860c62a6de5320a5e1b5568cf49d2e15786241d7171aae12ee29824781b07f330352f95eaf5ed80645ae4
SSDEEP

49152:JnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnvxJM0H:dDqPoBhz1aRxcSUDk36SAEdhvxWa

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2663) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Executes dropped EXE 3 IoCs

Processes:

mssecsvc.exemssecsvc.exetasksche.exe

pid process

2464 mssecsvc.exe
2716 mssecsvc.exe
2996 tasksche.exe

pid	process
2464	mssecsvc.exe
2716	mssecsvc.exe
2996	tasksche.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

Processes:

mssecsvc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00c9000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37BAAEC5-C191-4C28-BB0F-E325833E4815}\46-47-65-7c-a1-d4	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37BAAEC5-C191-4C28-BB0F-E325833E4815}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37BAAEC5-C191-4C28-BB0F-E325833E4815}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37BAAEC5-C191-4C28-BB0F-E325833E4815}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-47-65-7c-a1-d4	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-47-65-7c-a1-d4\WpadDecisionTime = a039393aebbdda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-47-65-7c-a1-d4\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37BAAEC5-C191-4C28-BB0F-E325833E4815}\WpadDecisionTime = a039393aebbdda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{37BAAEC5-C191-4C28-BB0F-E325833E4815}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-47-65-7c-a1-d4\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

rundll32.exerundll32.exe

description	pid	process	target process
PID 2028 wrote to memory of 2316	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2316	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2316	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2316	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2316	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2316	2028	rundll32.exe	rundll32.exe
PID 2028 wrote to memory of 2316	2028	rundll32.exe	rundll32.exe
PID 2316 wrote to memory of 2464	2316	rundll32.exe	mssecsvc.exe
PID 2316 wrote to memory of 2464	2316	rundll32.exe	mssecsvc.exe
PID 2316 wrote to memory of 2464	2316	rundll32.exe	mssecsvc.exe
PID 2316 wrote to memory of 2464	2316	rundll32.exe	mssecsvc.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a725bf924d21fc981dd173fa66bca35f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a725bf924d21fc981dd173fa66bca35f_JaffaCakes118.dll,#1
2⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2316

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2464

C:\WINDOWS\tasksche.exe
C:\WINDOWS\tasksche.exe /i
4⤵
- Executes dropped EXE
PID:2996

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
311aa9d4b29c9305a21d3d3097df96c5

SHA1
881f45a13956c4edf8f20e7019692735c2581169

SHA256
4f18bcddae09d98f2a407cf95c6327d6cff2c40237c94306b634db37c7f7e40b

SHA512
443b5f0914ec86753ce3e49e4227777f0f5ae60e7650ed78ee064ef5954b0f01baee5fe539d6ac06de97bf642681983c85f38343735d757a9008c85db5243448

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
1c25e5274a3e361c24eb883126ccecef

SHA1
0a5e0d6add60b23aeef69a60f9a00d941883c791

SHA256
1f3b3975f824416ee12c9851b19c62184f67d0160203576e11a639c0dd5c550f

SHA512
fdfcf9d2ea69c13f7eb5d5d52784e6a9077d3ab97e3347284d6d6eccdc7f8f3c9d09a3887bd40ee3128a22418a6b2db018255b4166c5e5a55ea31129ef92baa8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads