wannacry | 8a0abfca4e451c4f0f3c693eb52331954573384bfd902ee325118d85a7e22dc3

General

Target

abae35df2210d9521a8bc0ba08b97113_JaffaCakes118.dll
Size

5.0MB
MD5

abae35df2210d9521a8bc0ba08b97113
SHA1

02cd4366ecde1ccd8833d7853dcf80c00305dead
SHA256

8a0abfca4e451c4f0f3c693eb52331954573384bfd902ee325118d85a7e22dc3
SHA512

b36c47d647109633c256dad766ff0ee846114f81b9921494048dfe68cb5561dabcdd051ff979774ce74a871ba46ad78a2718b67de70be8b5039d26999e24c79e
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhUP593R8yAVp2H:+DqPe1Cxcxk3ZAESzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3240) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1204	mssecsvc.exe
2572	mssecsvc.exe
2928	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\76-4f-3c-78-ce-a7	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7\WpadDecision = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadDecisionTime = 00ee3b4da7beda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00f8000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7\WpadDecisionTime = 00ee3b4da7beda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-4f-3c-78-ce-a7\WpadDecisionReason = "1"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24F065EC-5017-4555-ACB1-4D99226B26DF}\WpadNetworkName = "Network 3"	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1840	2276	rundll32.exe	28
PID 2276 wrote to memory of 1840	2276	rundll32.exe	28
PID 2276 wrote to memory of 1840	2276	rundll32.exe	28
PID 2276 wrote to memory of 1840	2276	rundll32.exe	28
PID 2276 wrote to memory of 1840	2276	rundll32.exe	28
PID 2276 wrote to memory of 1840	2276	rundll32.exe	28
PID 2276 wrote to memory of 1840	2276	rundll32.exe	28
PID 1840 wrote to memory of 1204	1840	rundll32.exe	29
PID 1840 wrote to memory of 1204	1840	rundll32.exe	29
PID 1840 wrote to memory of 1204	1840	rundll32.exe	29
PID 1840 wrote to memory of 1204	1840	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\abae35df2210d9521a8bc0ba08b97113_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\abae35df2210d9521a8bc0ba08b97113_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1204
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2928

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
d7f4ff878ebe415908865c70f771f044

SHA1
fae5f74b6ff94419c20491d8d597255bfd6c58ac

SHA256
8c8d53641bd242ef992aebbf90bf797af3e8182a908e066a901b583e1fbaaa2c

SHA512
d69547ee99df21414525a039b4c16226f2796ee3113d2d9dc98b6fafed1d807fd8e0abe55110ba868784c75982696bb23e1bca8740435a3c2453eb4baecea18c

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
f3003718765af548421286844ecd0716

SHA1
8157ad9a91b3221ce72c8034e49a23b1a689084e

SHA256
da7118b2c5e2e7ec9add5e0313851be30121c69d114ff6d3f7836c6ec0527882

SHA512
54d519786363c76c15526ffa6c6971f7959b0eccb4cf1cb2477d7f5f05fe514aacb26ccb58a4dea67762caac856d6d39aeb7d9b676ee60c88e2c4ce4656b7009

Download Submit

Analysis

Sharing