wannacry | ce0beae359bd37e504a089a30a4489e39e63985b91e8700cf77ce6b89401500b

General

Target

d454f558f644289b2a4add1c44986abf_JaffaCakes118.dll
Size

5.0MB
MD5

d454f558f644289b2a4add1c44986abf
SHA1

7ab6673c1c18a0fa12aa1f15a71e069b19c06c20
SHA256

ce0beae359bd37e504a089a30a4489e39e63985b91e8700cf77ce6b89401500b
SHA512

1819dc72bb74720d75d85507a86019be8f1048a4eea2089ed7a1f99a6afffa99d5f4664ef8983c660aab2e426742f4aaf0651283e1977629c16461e4cfa08cf8
SSDEEP

49152:RnpdMSPbcBVQej/1INRx+TSqTdX1HkQo6SAARdhnv:1pdPoBhz1aRxcSUDk36SAEdhv

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3182) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 2 IoCs

pid	Process
3828	mssecsvr.exe
3024	mssecsvr.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	mssecsvr.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	mssecsvr.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\tasksche.exe	mssecsvr.exe
File created	C:\WINDOWS\mssecsvr.exe	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvr.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvr.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	mssecsvr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	mssecsvr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 3452	4260	rundll32.exe	85
PID 4260 wrote to memory of 3452	4260	rundll32.exe	85
PID 4260 wrote to memory of 3452	4260	rundll32.exe	85
PID 3452 wrote to memory of 3828	3452	rundll32.exe	86
PID 3452 wrote to memory of 3828	3452	rundll32.exe	86
PID 3452 wrote to memory of 3828	3452	rundll32.exe	86

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\d454f558f644289b2a4add1c44986abf_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\d454f558f644289b2a4add1c44986abf_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\WINDOWS\mssecsvr.exe
    C:\WINDOWS\mssecsvr.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3828

C:\WINDOWS\mssecsvr.exe
C:\WINDOWS\mssecsvr.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvr.exe

Filesize
2.2MB

MD5
d942bf3a88c096501022ad38abe0d7fe

SHA1
9a65ce9c3a1feede75358b160d43c1fd1f07575e

SHA256
02d475b23b44cafd7f6f4ab865deb335aca0aed94af9fe38475d75d2003cd55b

SHA512
fa9d9f4af5962d559992b2decd2099041b057f6515311e9ee798b6d1717e862fb1ea7c125271f768ad82668c8d35925dcfd7c489068cd3f6c83e358d0c707677

Download Submit

Analysis

Sharing