wannacry | ba40208a38500e7c001fede2b264ae758e115750c80384f67ed4163edc5d2644

General

Target

1e8e8eb9b0c25208b5c83be09430c010_JaffaCakes118.dll
Size

5.0MB
MD5

1e8e8eb9b0c25208b5c83be09430c010
SHA1

be0ed07c7ec11f091b5a351bde73f78458d8c8e3
SHA256

ba40208a38500e7c001fede2b264ae758e115750c80384f67ed4163edc5d2644
SHA512

51ea750fa7e9a0b3ef8e9088e70ade172a80a860a471a1cbce004628ab6866fbe882d7f1091da9c169473751defb826045bfc5aef227d9d8c85a14d0c217a8dc
SSDEEP

98304:dDqPoBCRxcSUDk36SAEdhvxWa9P593R8yAVp2H:dDqPNxcxk3ZAEUadzR8yc4H

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3211) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1960	mssecsvc.exe
3016	mssecsvc.exe
2588	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecisionTime = 80d259fa55ccda01	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionTime = 80d259fa55ccda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecision = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-48-c5-91-63-73\WpadDecisionReason = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\a2-48-c5-91-63-73	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{4BD18E26-0824-4C09-8E45-F280C2FBBF82}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0054000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 1592	2820	rundll32.exe	28
PID 2820 wrote to memory of 1592	2820	rundll32.exe	28
PID 2820 wrote to memory of 1592	2820	rundll32.exe	28
PID 2820 wrote to memory of 1592	2820	rundll32.exe	28
PID 2820 wrote to memory of 1592	2820	rundll32.exe	28
PID 2820 wrote to memory of 1592	2820	rundll32.exe	28
PID 2820 wrote to memory of 1592	2820	rundll32.exe	28
PID 1592 wrote to memory of 1960	1592	rundll32.exe	29
PID 1592 wrote to memory of 1960	1592	rundll32.exe	29
PID 1592 wrote to memory of 1960	1592	rundll32.exe	29
PID 1592 wrote to memory of 1960	1592	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e8e8eb9b0c25208b5c83be09430c010_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\1e8e8eb9b0c25208b5c83be09430c010_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1960
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2588

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
b56e522fb80d4ef60f35b545778aa684

SHA1
eab7d1905507eac1fd98368aa3dca1f3e3965772

SHA256
336fa3a05d1323def585f932ba6ac418df72e1b63af35ecc941a495d7351d992

SHA512
00b4b58bc70cfbaf70b51b817967485efa3b956bc869e5f408d0ddd37c8291caa558b8052ef79bacccf713d3641dca603b9a77017a07e24952b2d17ad1b70def

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
31153363ae2babe5a02023a85fdcd206

SHA1
7f2a1b8f08322698fce320caa449515090afc4cb

SHA256
5bf7e8e373424701db22720f04e098f435e7748f747b583d2524da386f892f58

SHA512
84f1b6d2f8aff4fdda8ea483f5338e3d72ec11a9cdbe520215dea1cccbe341cc183ab51954931a01eb1b5be627b8b90837db42ac1020e629ed00b2d1c410710e

Download Submit

Analysis

Sharing