wannacry | 2a94ebb590d7d9ccdd2009a50ab13d94fb3174536e91dfe53dd9cea3e741e7d4

General

Target

d0766eba566a497af6e61c07af24c36d_JaffaCakes118.dll
Size

5.0MB
MD5

d0766eba566a497af6e61c07af24c36d
SHA1

4f808f55880494d962c57f9974278fad4b3008f5
SHA256

2a94ebb590d7d9ccdd2009a50ab13d94fb3174536e91dfe53dd9cea3e741e7d4
SHA512

907c11535d4d4b64c042ee78a74b619b157958e790531bc22057d6b9f0ee40720c6a9a45f7305b85b56563bc32ca7f37a2e4a806aaf5e278e8b09b41c51c5e2b
SSDEEP

98304:TDqPoBhz1aRxcSUDk36SAEdhvxWa9Pa3R8yAVp2:TDqPe1Cxcxk3ZAEUadER8yc4

Score

10^/10

wannacry discovery execution ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry

Executes dropped EXE 3 IoCs

pid	Process
640	mssecsvc.exe
2736	mssecsvc.exe
4152	tasksche.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1524	powershell.exe
4444	powershell.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvc.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4212	notepad.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3140	powershell_ise.exe
3140	powershell_ise.exe
3140	powershell_ise.exe
1524	powershell.exe
1524	powershell.exe
4444	powershell.exe
4444	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3140	powershell_ise.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: 33	4452	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4452	AUDIODG.EXE
Token: SeDebugPrivilege	4444	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 1608	4744	rundll32.exe	84
PID 4744 wrote to memory of 1608	4744	rundll32.exe	84
PID 4744 wrote to memory of 1608	4744	rundll32.exe	84
PID 1608 wrote to memory of 640	1608	rundll32.exe	86
PID 1608 wrote to memory of 640	1608	rundll32.exe	86
PID 1608 wrote to memory of 640	1608	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0766eba566a497af6e61c07af24c36d_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d0766eba566a497af6e61c07af24c36d_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:640
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:4152

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2736

C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe" "C:\Users\Admin\Desktop\StartStop.ps1"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe" "C:\Users\Admin\Desktop\StartStop.ps1"
1⤵
- Opens file in notepad (likely ransom note)
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\StartStop.ps1'"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Users\Admin\Desktop\StartStop.ps1'"
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d136d3411d4aa688242c53cafb993aa6

SHA1
1a81cc78e3ca445d5a5193e49ddce26d5e25179f

SHA256
00ae5433c0107cc164516c7849b4cff7b6faeb52e5afa65c01dbd8c7a5efe397

SHA512
282ea53f8093c00e8c64d253782068211f8c4187391d5078755f55dedb8825c0042173d82f489d7b6c06e88184b70e83c1e92dadb80f57bd96c95855ac6b3da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1020B

MD5
5f3eb59f5e65ba631676f73fd15b65f9

SHA1
2fdf095edce39d5d2645d96310ef42a59493bb18

SHA256
1094ded6aae700c4d73c1b883359ea311ea12aee331c81ed824dbf999bbd4d4e

SHA512
155465ce664652d2a90e8b4ae3379df202bfe51d8bba572c811943f393090b4cb6d38bdf87614ae9acb0923442370cf450207ead0fb8728cbb35fa12abdffcd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cpyhpfey.tua.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5c6aa5fcd6a94c064b27c2be843a4ec5

SHA1
76d25f83389c96691cb5b5d0739ce2b70e72a25d

SHA256
e072bdc7e3a86a9a0202ce67863520cae6461024d89e5375223ed4600482d450

SHA512
d0694788a09930f2e91414acc339f0b7c8ac01a1fc849addf41712a49e571b0cac4726af0da9ab5821241e80f7e092b3de206776b8296566b7bc45088a71d3b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b93e40f19f727962b46ce34993235052

SHA1
a6423dc9077f00ee4e316e934a419f10b61346d2

SHA256
f74ecce4d6433dfe1a475a4cbd80849cede047e1b40a5853181fdb024f822f93

SHA512
e1a606d45a4b624ad6cf460b062b48a2e9ffdf92d56a2913457dcc4eefddce8736eeb6533d37dd4357a9b4dd0c794720c6c920d1488ca1fede98c24ba71a2e04

Download Submit
C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
f4531c47b69b90019096c33303fb9fe8

SHA1
ebe1442f1ebf397bddedfaefb7a78ca1c9511eee

SHA256
0bf9f9ad7fad6b676f7b7ea7b6b7a9cbe8af54f5e8beceadd678ac473e9d7eb9

SHA512
8d9a302631c16a0355d2083062c153da3ec129caca9b874c5407bcf8c936a5cb0bbfd720b7195f2a47e96f4ef8bcfda74abb1e83c00e28c9d215abc7c0fdb172

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
fff2678d85747fc86b20215d769ad4cb

SHA1
c864976c457a90a678344ffa0b9b134c0645ee3b

SHA256
658a87fcf71607b1ced777e309c10d8bbe447f9b368217cc16ebab55f52c340f

SHA512
862a16e02173e8875ca573700051d53634463d4cd9fd215c112ea2938fedc4743ea008d2e69ad644c04958d41a548b5763c2e76d85787264fbef033f37037190

Download Submit
memory/3140-26-0x00000242228E0000-0x0000024222902000-memory.dmp

Filesize
136KB

Download
memory/3140-16-0x0000024222510000-0x0000024222518000-memory.dmp

Filesize
32KB

Download
memory/3140-27-0x00000242227E0000-0x00000242227E8000-memory.dmp

Filesize
32KB

Download
memory/3140-28-0x00000242227F0000-0x00000242227F8000-memory.dmp

Filesize
32KB

Download
memory/3140-29-0x0000024221CF0000-0x0000024221CF8000-memory.dmp

Filesize
32KB

Download
memory/3140-30-0x0000024221D60000-0x0000024221D86000-memory.dmp

Filesize
152KB

Download
memory/3140-11-0x0000024222530000-0x0000024222568000-memory.dmp

Filesize
224KB

Download
memory/3140-10-0x00000242070D0000-0x00000242070DE000-memory.dmp

Filesize
56KB

Download
memory/3140-9-0x0000024222570000-0x00000242225BA000-memory.dmp

Filesize
296KB

Download
memory/3140-8-0x00000242053F0000-0x0000024205428000-memory.dmp

Filesize
224KB

Download

Resubmissions

Analysis

Sharing