wannacry | 39bbc42fa1212dc1465776b1c0efaed775c063385a6e6fd9d06cda483558f393

General

Target

6633a19602561d359e76a67a008d62e8_JaffaCakes118.dll
Size

5.0MB
MD5

6633a19602561d359e76a67a008d62e8
SHA1

d823708efa36c4fc6f8ec99dfa8a9741f0205de4
SHA256

39bbc42fa1212dc1465776b1c0efaed775c063385a6e6fd9d06cda483558f393
SHA512

7706a678184eb50ea9c0525376dda5f738aa1578f2ad3c70e0f54a6820152495ee7036ace388a8b9cebdf17692b71f2df3181d530a1485c53b211b297b9402c0
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R:TDqPe1Cxcxk3ZAEUadzR

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3284) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2680	mssecsvc.exe
2764	mssecsvc.exe
2508	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-f5-38-63-87-7a\WpadDecisionTime = 4069c491c4dcda01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}\ee-f5-38-63-87-7a	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}\WpadDecisionTime = 4069c491c4dcda01	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0197000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{037A4A68-ED10-4779-B6EE-7852093F915E}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 2636	2356	rundll32.exe	30
PID 2356 wrote to memory of 2636	2356	rundll32.exe	30
PID 2356 wrote to memory of 2636	2356	rundll32.exe	30
PID 2356 wrote to memory of 2636	2356	rundll32.exe	30
PID 2356 wrote to memory of 2636	2356	rundll32.exe	30
PID 2356 wrote to memory of 2636	2356	rundll32.exe	30
PID 2356 wrote to memory of 2636	2356	rundll32.exe	30
PID 2636 wrote to memory of 2680	2636	rundll32.exe	31
PID 2636 wrote to memory of 2680	2636	rundll32.exe	31
PID 2636 wrote to memory of 2680	2636	rundll32.exe	31
PID 2636 wrote to memory of 2680	2636	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\6633a19602561d359e76a67a008d62e8_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\6633a19602561d359e76a67a008d62e8_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:2680
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2508

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
218cbc67ac8a66aebca9cca90960ead8

SHA1
19454a65b8253104daf8beb975b4b12b76db586e

SHA256
ae167748ed2a30a493121478cf77d1a6f78ffd8a149e4ec627b3af9aea5e0ec2

SHA512
010cb8e232fd0b23d36ec39ee8456e1d1e7af7967e6923908e60de8d6671400d827c12cc52d98f17ec450e642150ad52af88c94376e7344b7a85e891d8f00a91

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
1fd3d102d83758e8317df2380821e807

SHA1
3709a9b48aee0d6039b4b3581be33f48d4919b79

SHA256
01b628fa60560c0cb4a332818cb380a65d0616d19976c084e0c3eaa433288b88

SHA512
db0ee5b13e524f2182845aa94b8b1121749e87e48e75e5ba8fa26cae024216913d3a5904fb3544dfeefa49ecf76af5cf1324c410e6366a7197594e8e9e26025f

Download Submit

Analysis

Sharing