wannacry | ef376214f178669b0a57bd061bf6b34e1631fcb4831ede7ab204588657d44596

General

Target

f4f2e35feb96f5f48daa5f8ce69448d7_JaffaCakes118.dll
Size

5.0MB
MD5

f4f2e35feb96f5f48daa5f8ce69448d7
SHA1

6f3a3b86f22d55c2ddfbe1ab316089c07ba030b9
SHA256

ef376214f178669b0a57bd061bf6b34e1631fcb4831ede7ab204588657d44596
SHA512

2476e65afbaf13a3a4c620bb0d0067bbc8a8eefefcf018b4adbf76107ce7dca5469c2b335fa7ed6778613fb79a354a775ab06becb139fe019464514c3e09e5d2
SSDEEP

49152:SnAQqMSPbcBVQej/1INRx+TSqTdX1HkQo6SAAxxJM:+DqPoBhz1aRxcSUDk36SA4xW

Score

10^/10

wannacry discovery ransomware worm

Malware Config

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Contacts a large (3135) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Executes dropped EXE 3 IoCs

pid	Process
2308	mssecsvc.exe
2148	mssecsvc.exe
2888	tasksche.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mssecsvc.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42EA5CAC-5ED3-4DA0-9316-09F90C25D5F7}	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42EA5CAC-5ED3-4DA0-9316-09F90C25D5F7}\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42EA5CAC-5ED3-4DA0-9316-09F90C25D5F7}\WpadDecisionTime = c09a0e88f00edb01	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42EA5CAC-5ED3-4DA0-9316-09F90C25D5F7}\WpadNetworkName = "Network 3"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-65-ca-4e-27	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-65-ca-4e-27\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42EA5CAC-5ED3-4DA0-9316-09F90C25D5F7}\aa-73-65-ca-4e-27	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-65-ca-4e-27\WpadDecisionReason = "1"	mssecsvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-73-65-ca-4e-27\WpadDecisionTime = c09a0e88f00edb01	mssecsvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	mssecsvc.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{42EA5CAC-5ED3-4DA0-9316-09F90C25D5F7}\WpadDecision = "0"	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	mssecsvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	mssecsvc.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2268	2316	rundll32.exe	30
PID 2316 wrote to memory of 2268	2316	rundll32.exe	30
PID 2316 wrote to memory of 2268	2316	rundll32.exe	30
PID 2316 wrote to memory of 2268	2316	rundll32.exe	30
PID 2316 wrote to memory of 2268	2316	rundll32.exe	30
PID 2316 wrote to memory of 2268	2316	rundll32.exe	30
PID 2316 wrote to memory of 2268	2316	rundll32.exe	30
PID 2268 wrote to memory of 2308	2268	rundll32.exe	31
PID 2268 wrote to memory of 2308	2268	rundll32.exe	31
PID 2268 wrote to memory of 2308	2268	rundll32.exe	31
PID 2268 wrote to memory of 2308	2268	rundll32.exe	31

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4f2e35feb96f5f48daa5f8ce69448d7_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\f4f2e35feb96f5f48daa5f8ce69448d7_JaffaCakes118.dll,#1
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2308
  - - C:\WINDOWS\tasksche.exe
      C:\WINDOWS\tasksche.exe /i
      4⤵
      Executes dropped EXE
      PID:2888

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

2

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mssecsvc.exe

Filesize
3.6MB

MD5
ef8f9a175c2c3817acccfbe1ab0902bf

SHA1
a3b2e0b0fc085a3e57e75fe36a8f8183843fb7dc

SHA256
e84558e2d07783e5fc7ed1b8716d6e6671c165eb9e67e916f015d1865b0f0372

SHA512
30106874f0fb5ad55828743c6a457f843cdece10b11da4079aad05a661fe12a9de987700d85f790b81bf7cc82f5d3e8dbd953dc04b64e4dba7d7d31ad2f29fd3

Download Submit
C:\Windows\tasksche.exe

Filesize
3.4MB

MD5
902e9fd67b647b82a14752162a55179c

SHA1
5e724824b4a0fb4461f872a715876b151e1bba2d

SHA256
d8a947c7b002dbaeb34b42a0ece3d2d7f6f29b364b1c49fb3a9f6eaca9b08286

SHA512
e77107cb9d82553f9bcd7cddfa4664e9a64afbcc21b9d1279cd20145eb0ea367b502f17c1e0e32d4a07655e3a76c7e7a1afe5e9fa958f030b5d4e18f1f36c390

Download Submit

Analysis

Sharing