wannacry | 68ba4f71995025612f70be0c0ff6f0578781f1c144aa24f2928f370c45503b60

General

Target

c535d0ca60d2e77f3f849a6ac49a38cb_JaffaCakes118.dll
Size

5.0MB
MD5

c535d0ca60d2e77f3f849a6ac49a38cb
SHA1

b55644e0bfde458e34e144dfe52e5f08f8af2da4
SHA256

68ba4f71995025612f70be0c0ff6f0578781f1c144aa24f2928f370c45503b60
SHA512

89cef15c22eca56990d8321269798db3f6b5a581217a93908306f155f64fad2ef9a43f83bb2bb79f3c7f7ebc308ce6622e23fa755ebb33cb0319d29c5b7f3f2b
SSDEEP

98304:+DqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8y:+DqPe1Cxcxk3ZAEUadzR8y

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (2190) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
1860	mssecsvc.exe
2780	mssecsvc.exe
4768	tasksche.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
944	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
944	vlc.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
944	vlc.exe
944	vlc.exe
944	vlc.exe
944	vlc.exe
944	vlc.exe
944	vlc.exe
944	vlc.exe
944	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
944	vlc.exe
944	vlc.exe
944	vlc.exe
944	vlc.exe
944	vlc.exe
944	vlc.exe
944	vlc.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
944	vlc.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 4756	1004	rundll32.exe	82
PID 1004 wrote to memory of 4756	1004	rundll32.exe	82
PID 1004 wrote to memory of 4756	1004	rundll32.exe	82
PID 4756 wrote to memory of 1860	4756	rundll32.exe	83
PID 4756 wrote to memory of 1860	4756	rundll32.exe	83
PID 4756 wrote to memory of 1860	4756	rundll32.exe	83

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\c535d0ca60d2e77f3f849a6ac49a38cb_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\c535d0ca60d2e77f3f849a6ac49a38cb_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4756
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1860
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4768

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3336

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\CompletePublish.3g2"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:944

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\DebugConvertFrom.ADT"
1⤵
PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

1

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\vlcrc

Filesize
94KB

MD5
7b37c4f352a44c8246bf685258f75045

SHA1
817dacb245334f10de0297e69c98b4c9470f083e

SHA256
ec45f6e952b43eddc214dba703cf7f31398f3c9f535aad37f42237c56b9b778e

SHA512
1e8d675b3c6c9ba257b616da268cac7f1c7a9db12ffb831ed5f8d43c0887d711c197ebc9daf735e3da9a0355bf21c2b29a2fb38a46482a2c5c8cd5628fea4c02

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
13811dea41a16129e6e56da385071e0e

SHA1
8aff71e7e582163b3732f3e690113c534ead5415

SHA256
eae935145d83468cffc8090750ab5979d0ada29e332715ce6032de77a7b2f04c

SHA512
3ef5278264616aaa8d7d6f393bc159f4eaed7c5e8ba420ce7291fb51723ae7585ddee5976992c491aa7099e65955d65ed8f2086a5c5dcae9d09b4e77ff6d149b

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
e74eb6fa2a2bc4b0d243cdee618e9819

SHA1
61f6f281b2436acf2b1fa054ceb763c280d535e6

SHA256
7d99aaa426e4f057185168d127b7bf57f13fc971e486af58c85a0d10ee930616

SHA512
400dfd700b79db143949845a97122834676f64e0dc0a068f02b283e6fbb0fb52c33d44b5ba5a39de191e72a72da78a2d98dc8b4b2f0dd52fc0995b1a1a5e49f3

Download Submit
memory/944-32-0x00007FFFAF670000-0x00007FFFAF681000-memory.dmp

Filesize
68KB

Download
memory/944-30-0x00007FFFAF690000-0x00007FFFAF6AD000-memory.dmp

Filesize
116KB

Download
memory/944-35-0x00007FFFA7170000-0x00007FFFA8220000-memory.dmp

Filesize
16.7MB

Download
memory/944-37-0x00007FFFA9710000-0x00007FFFA9721000-memory.dmp

Filesize
68KB

Download
memory/944-34-0x00007FFFA9B10000-0x00007FFFA9B31000-memory.dmp

Filesize
132KB

Download
memory/944-38-0x00007FFFA96F0000-0x00007FFFA9701000-memory.dmp

Filesize
68KB

Download
memory/944-25-0x00007FFFBAED0000-0x00007FFFBAEE8000-memory.dmp

Filesize
96KB

Download
memory/944-33-0x00007FFFAF5B0000-0x00007FFFAF5F1000-memory.dmp

Filesize
260KB

Download
memory/944-29-0x00007FFFB9860000-0x00007FFFB9871000-memory.dmp

Filesize
68KB

Download
memory/944-31-0x00007FFFA8220000-0x00007FFFA842B000-memory.dmp

Filesize
2.0MB

Download
memory/944-27-0x00007FFFBA1B0000-0x00007FFFBA1C1000-memory.dmp

Filesize
68KB

Download
memory/944-26-0x00007FFFBA550000-0x00007FFFBA567000-memory.dmp

Filesize
92KB

Download
memory/944-24-0x00007FFFA8E20000-0x00007FFFA90D6000-memory.dmp

Filesize
2.7MB

Download
memory/944-23-0x00007FFFBA030000-0x00007FFFBA064000-memory.dmp

Filesize
208KB

Download
memory/944-22-0x00007FF6432E0000-0x00007FF6433D8000-memory.dmp

Filesize
992KB

Download
memory/944-39-0x00007FFFA96D0000-0x00007FFFA96E1000-memory.dmp

Filesize
68KB

Download
memory/944-40-0x00007FFFA96B0000-0x00007FFFA96CB000-memory.dmp

Filesize
108KB

Download
memory/944-41-0x00007FFFA9690000-0x00007FFFA96A1000-memory.dmp

Filesize
68KB

Download
memory/944-28-0x00007FFFB9F60000-0x00007FFFB9F77000-memory.dmp

Filesize
92KB

Download
memory/944-36-0x00007FFFAF590000-0x00007FFFAF5A8000-memory.dmp

Filesize
96KB

Download
memory/944-49-0x00000219F7FC0000-0x00000219F8058000-memory.dmp

Filesize
608KB

Download
memory/944-48-0x00007FFFA6AC0000-0x00007FFFA6AD1000-memory.dmp

Filesize
68KB

Download
memory/944-47-0x00007FFFA6FD0000-0x00007FFFA7027000-memory.dmp

Filesize
348KB

Download
memory/944-46-0x00007FFFA7030000-0x00007FFFA7041000-memory.dmp

Filesize
68KB

Download
memory/944-45-0x00007FFFA7050000-0x00007FFFA70CC000-memory.dmp

Filesize
496KB

Download
memory/944-44-0x00007FFFA70D0000-0x00007FFFA7137000-memory.dmp

Filesize
412KB

Download
memory/944-43-0x00007FFFA7140000-0x00007FFFA7170000-memory.dmp

Filesize
192KB

Download
memory/944-42-0x00007FFFA9590000-0x00007FFFA95A8000-memory.dmp

Filesize
96KB

Download
memory/1148-16-0x00007FFFBA1B0000-0x00007FFFBA1C1000-memory.dmp

Filesize
68KB

Download
memory/1148-13-0x00007FFFA8E20000-0x00007FFFA90D6000-memory.dmp

Filesize
2.7MB

Download
memory/1148-12-0x00007FFFBA030000-0x00007FFFBA064000-memory.dmp

Filesize
208KB

Download
memory/1148-11-0x00007FF6432E0000-0x00007FF6433D8000-memory.dmp

Filesize
992KB

Download
memory/1148-14-0x00007FFFBAED0000-0x00007FFFBAEE8000-memory.dmp

Filesize
96KB

Download
memory/1148-15-0x00007FFFBA550000-0x00007FFFBA567000-memory.dmp

Filesize
92KB

Download

Resubmissions

Analysis

Sharing