More than 70 countries are reported to be infected.
Read More: Part 1 — Part 2 — Part 3 — Part 4 — @msuiche (Twitter)
UPDATE** Links to Lazarus Group: Latest development (15May):
UPDATE2: — Decrypting files
IMPORTANT NOTE: Microsoft released an emergency patch (KB4012598)for unsupported version of Windows (Windows XP, 2003, Vista, 2008). APPLY NOW!
NOTE2: On Sunday 14 May, We just stopped the second wave of attack by registering a second killswitch but this is temporary. Read more.
On Friday 12th May 2017, a ransom-ware called WannaCry infecting and spreading machines in 70+ countries — using nation state grade offensive capabilities released last month by the ShadowBrowkers — including telco companies like Telefonica in Spain, or healthcare authority like the NHS in England — and the number of infected machines keeps growing.
This ransom-ware supports 28 different languages, encrypts 179 different type of files and requires victims to wire money ($300-$600) over bitcoins in order to get the control back of their machines.
Main dropper/encrypter: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Infection
It is believed the ransom-ware used an SMB vulnerability patched by Microsoft (MS17–010) in March. A public exploit for this vulnerability had been released in April by a group subbed as ShadowBrokers (which emerged for the first time in August 2016) while leaking files containing offensive tools belonging to the NSA including a remote SMB exploit called ETERNALBLUEwhich affects the above vulnerability.
This vulnerability is believed to have been used by the NSA to take over their targets including the backbone of financial institutions in the Middle East.
Last month, I covered the latest Shadow Brokers leak — which I strongly recommend to read to learn more about what ETERNALBLUE and DOUBLEPULSAR are.
Thanks to Darien Huss for highlighting the binary that infects the system, Zammis Clark wrote a good write-up on the infection part and the domain name www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com` that was register as part of a kill switch for the malware.
Below is the most interesting discovery form Darien Huss, which enabled @MalwareTechBlog to register the domain name to prevent further infection — for now. Although, it is important to note that:
- If for some reason your intranet does not have access to internet, which is fairly common (remember the infection is done over the SMB network) — the infector won’t be able to access this domain name and then will proceed with the infection.
- Although, this blocks the current version — the malware authors probably already wrote and dropped variants with a different killswitch mechanism.
- This is only temporary relief, most of systems are still vulnerable due to dependence to legacy operating system such as Windows XP — and won’t be able to be safe until they apply MS17–010 patch which requires for them to upgrade their O.S. as legacy O.S. are out of support from Microsoft.
Simple and straight-forward.
I was curious on the DOUBLEPULSAR part, so I decided to look in details at the routine — WannaCry not only check if DOUBLEPULSAR is present but also has a (unused) flag to potentially uninstall the backdoor and kick any parasite out.
- If DOUBLEPULSAR is present, it will leverage it to install its payload.
- If DOUBLEPULSAR is not present, it will attempt to exploit the target machine using the SMB vulnerabilities (MS17–010 / KB4012598).
SMB honeypot based in France connected to internet infected within 3 minutes.
Checking for DoublePulsar
Without any surprised, the packets and checks are very similar to the DOUBLEPULSAR detection tool written by countercept.
You can find out more about the references to DOUBLEPULSAR within WannaCry here.
WannaCry?
Extraction
The dropper extracts a password protected (“WNcry@2ol7”) archive containing the ransom-ware from its resources (XIA/2058).
Payment
The ransom-ware uses 3 different addresses to receive payments:
- 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
- 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Files
- \msg — This folder contains the RTF describing the different instructions for the ransom-ware. Totaling 28 languages.
- b.wnry — BMP image used as a background image replacement by the malware.
- c.wnry— configuration file containing the target address, but also the tor communication endpoints information.
- s.wnry — Tor client to communication with the above endpoints.
- u.wnry — UI interface of the ransom-ware, containing the communications routines and password validation (currently being analyzed)
- t.wnry— “WANACRY!” file — contains default keys
t.wnry including file format definition for 010 Template.
- r.wnry— Q&A file used by the application containing payment instructions
- taskdl.exe / taskse.exe —
taskdl.exe
u.wnry — Yes I broke it so it has no data.
Command & Control
Tor Endpoint Addresses recovered from the configuration file :
- gx7ekbenv2riucmf.onion
- 57g7spgrzlojinas.onion
- xxlvbrloxvriy2c5.onion
- 76jdd2ir2embyv47.onion
- cwwnhwhlz52maqm7.onion
The malware also downloads the version 0.2.9.10 of tor browser: https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
Encryption
Here is the list of the 179 different type of files encrypted by the ransom-ware.
- .doc
- .docx
- .docb
- .docm
- .dot
- .dotm
- .dotx
- .xls
- .xlsx
- .xlsm
- .xlsb
- .xlw
- .xlt
- .xlm
- .xlc
- .xltx
- .xltm
- .ppt
- .pptx
- .pptm
- .pot
- .pps
- .ppsm
- .ppsx
- .ppam
- .potx
- .potm
- .pst
- .ost
- .msg
- .eml
- .edb
- .vsd
- .vsdx
- .txt
- .csv
- .rtf
- .123
- .wks
- .wk1
- .pdf
- .dwg
- .onetoc2
- .snt
- .hwp
- .602
- .sxi
- .sti
- .sldx
- .sldm
- .sldm
- .vdi
- .vmdk
- .vmx
- .gpg
- .aes
- .ARC
- .PAQ
- .bz2
- .tbk
- .bak
- .tar
- .tgz
- .gz
- .7z
- .rar
- .zip
- .backup
- .iso
- .vcd
- .jpeg
- .jpg
- .bmp
- .png
- .gif
- .raw
- .cgm
- .tif
- .tiff
- .nef
- .psd
- .ai
- .svg
- .djvu
- .m4u
- .m3u
- .mid
- .wma
- .flv
- .3g2
- .mkv
- .3gp
- .mp4
- .mov
- .avi
- .asf
- .mpeg
- .vob
- .mpg
- .wmv
- .fla
- .swf
- .wav
- .mp3
- .sh
- .class
- .jar
- .java
- .rb
- .asp
- .php
- .jsp
- .brd
- .sch
- .dch
- .dip
- .pl
- .vb
- .vbs
- .ps1
- .bat
- .cmd
- .js
- .asm
- .h
- .pas
- .cpp
- .c
- .cs
- .suo
- .sln
- .ldf
- .mdf
- .ibd
- .myi
- .myd
- .frm
- .odb
- .dbf
- .db
- .mdb
- .accdb
- .sql
- .sqlitedb
- .sqlite3
- .asc
- .lay6
- .lay
- .mml
- .sxm
- .otg
- .odg
- .uop
- .std
- .sxd
- .otp
- .odp
- .wb2
- .slk
- .dif
- .stc
- .sxc
- .ots
- .ods
- .3dm
- .max
- .3ds
- .uot
- .stw
- .sxw
- .ott
- .odt
- .pem
- .p12
- .csr
- .crt
- .key
- .pfx
- .der
What to do to avoid to be the next victim ?
APPLY MS17–010 NOW if you didn’t !
If you are using unsupported versions of Windows such as XP and Vista, you are in big trouble and should do a crisis meeting now. This is going to be a very long week-end for a lot of companies around the World.
It had been reported/rumored that the initial attack vector (pre-SMB) comes from file attachments over emails, make sure to tell your employees to not open suspicious documents.
Appendix A — Files
PS D:\Analysis\Wannacry\toto> dir
Directory: D:\Analysis\Wannacry\toto
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/12/2017 11:45 PM msg
-a---- 5/11/2017 8:13 PM 1440054 b.wnry
-a---- 5/11/2017 8:11 PM 780 c.wnry
-a---- 5/11/2017 3:59 PM 864 r.wnry
-a---- 5/9/2017 4:58 PM 3038286 s.wnry
------ 5/12/2017 2:22 AM 65816 t.wnry
-a---- 5/12/2017 2:22 AM 20480 taskdl.exe
-a---- 5/12/2017 2:22 AM 20480 taskse.exe
-a---- 5/12/2017 2:22 AM 245760 u.wnry
PS D:\Analysis\Wannacry\toto> dir msg
Directory: D:\Analysis\Wannacry\toto\msg
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 11/20/2010 4:16 AM 47879 m_bulgarian.wnry
-a---- 11/20/2010 4:16 AM 54359 m_chinese (simplified).wnry
-a---- 11/20/2010 4:16 AM 79346 m_chinese (traditional).wnry
-a---- 11/20/2010 4:16 AM 39070 m_croatian.wnry
-a---- 11/20/2010 4:16 AM 40512 m_czech.wnry
-a---- 11/20/2010 4:16 AM 37045 m_danish.wnry
-a---- 11/20/2010 4:16 AM 36987 m_dutch.wnry
-a---- 11/20/2010 4:16 AM 36973 m_english.wnry
-a---- 11/20/2010 4:16 AM 37580 m_filipino.wnry
-a---- 11/20/2010 4:16 AM 38377 m_finnish.wnry
-a---- 11/20/2010 4:16 AM 38437 m_french.wnry
-a---- 11/20/2010 4:16 AM 37181 m_german.wnry
-a---- 11/20/2010 4:16 AM 49044 m_greek.wnry
-a---- 11/20/2010 4:16 AM 37196 m_indonesian.wnry
-a---- 11/20/2010 4:16 AM 36883 m_italian.wnry
-a---- 11/20/2010 4:16 AM 81844 m_japanese.wnry
-a---- 11/20/2010 4:16 AM 91501 m_korean.wnry
-a---- 11/20/2010 4:16 AM 41169 m_latvian.wnry
-a---- 11/20/2010 4:16 AM 37577 m_norwegian.wnry
-a---- 11/20/2010 4:16 AM 39896 m_polish.wnry
-a---- 11/20/2010 4:16 AM 37917 m_portuguese.wnry
-a---- 11/20/2010 4:16 AM 52161 m_romanian.wnry
-a---- 11/20/2010 4:16 AM 47108 m_russian.wnry
-a---- 11/20/2010 4:16 AM 41391 m_slovak.wnry
-a---- 11/20/2010 4:16 AM 37381 m_spanish.wnry
-a---- 11/20/2010 4:16 AM 38483 m_swedish.wnry
-a---- 11/20/2010 4:16 AM 42582 m_turkish.wnry
-a---- 11/20/2010 4:16 AM 93778 m_vietnamese.wnry
Appendix B — Detailed files extracted
VersionInfo : File: D:\Analysis\Wannacry\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
InternalName: diskpart.exe
OriginalFilename: diskpart.exe
FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)
FileDescription: DiskPart
Product: Microsoft® Windows® Operating System
ProductVersion: 6.1.7601.17514
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: English (United States)
Name : ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
LastWriteTime : 5/12/2017 10:06:10 PM
Length : 3514368
Algorithm : SHA256
MD5 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
VersionInfo :
Name : msg
LastWriteTime : 5/12/2017 11:45:24 PM
Length : 1
Algorithm :
MD5 :
VersionInfo : File: D:\Analysis\Wannacry\toto\b.wnry
InternalName:
OriginalFilename:
FileVersion:
FileDescription:
Product:
ProductVersion:
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language:
Name : b.wnry
LastWriteTime : 5/11/2017 8:13:20 PM
Length : 1440054
Algorithm : SHA256
MD5 : D5E0E8694DDC0548D8E6B87C83D50F4AB85C1DEBADB106D6A6A794C3E746F4FA
VersionInfo : File: D:\Analysis\Wannacry\toto\c.wnry
InternalName:
OriginalFilename:
FileVersion:
FileDescription:
Product:
ProductVersion:
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language:
Name : c.wnry
LastWriteTime : 5/11/2017 8:11:58 PM
Length : 780
Algorithm : SHA256
MD5 : 055C7760512C98C8D51E4427227FE2A7EA3B34EE63178FE78631FA8AA6D15622
VersionInfo : File: D:\Analysis\Wannacry\toto\r.wnry
InternalName:
OriginalFilename:
FileVersion:
FileDescription:
Product:
ProductVersion:
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language:
Name : r.wnry
LastWriteTime : 5/11/2017 3:59:14 PM
Length : 864
Algorithm : SHA256
MD5 : 402751FA49E0CB68FE052CB3DB87B05E71C1D950984D339940CF6B29409F2A7C
VersionInfo : File: D:\Analysis\Wannacry\toto\s.wnry
InternalName:
OriginalFilename:
FileVersion:
FileDescription:
Product:
ProductVersion:
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language:
Name : s.wnry
LastWriteTime : 5/9/2017 4:58:44 PM
Length : 3038286
Algorithm : SHA256
MD5 : E18FDD912DFE5B45776E68D578C3AF3547886CF1353D7086C8BEE037436DFF4B
VersionInfo : File: D:\Analysis\Wannacry\toto\t.wnry
InternalName:
OriginalFilename:
FileVersion:
FileDescription:
Product:
ProductVersion:
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language:
Name : t.wnry
LastWriteTime : 5/12/2017 2:22:56 AM
Length : 65816
Algorithm : SHA256
MD5 : 97EBCE49B14C46BEBC9EC2448D00E1E397123B256E2BE9EBA5140688E7BC0AE6
VersionInfo : File: D:\Analysis\Wannacry\toto\taskdl.exe
InternalName: cliconfg.exe
OriginalFilename: cliconfg.exe
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileDescription: SQL Client Configuration Utility EXE
Product: Microsoft® Windows® Operating System
ProductVersion: 6.1.7600.16385
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: English (United States)
Name : taskdl.exe
LastWriteTime : 5/12/2017 2:22:56 AM
Length : 20480
Algorithm : SHA256
MD5 : 4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79
VersionInfo : File: D:\Analysis\Wannacry\toto\taskse.exe
InternalName: waitfor.exe
OriginalFilename: waitfor.exe
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileDescription: waitfor - wait/send a signal over a network
Product: Microsoft® Windows® Operating System
ProductVersion: 6.1.7600.16385
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: English (United States)
Name : taskse.exe
LastWriteTime : 5/12/2017 2:22:56 AM
Length : 20480
Algorithm : SHA256
MD5 : 2CA2D550E603D74DEDDA03156023135B38DA3630CB014E3D00B1263358C5F00D
VersionInfo : File: D:\Analysis\Wannacry\toto\u.wnry
InternalName: LODCTR.EXE
OriginalFilename: LODCTR.EXE
FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255)
FileDescription: Load PerfMon Counters
Product: Microsoft® Windows® Operating System
ProductVersion: 6.1.7600.16385
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: English (United States)
Name : u.wnry
LastWriteTime : 5/12/2017 2:22:56 AM
Length : 245760
Algorithm : SHA256
MD5 : B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25