mq1n

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

• Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
• Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
• Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
• Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
• Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

mq1n

	DWORD Error, bytesIO;
	NTSTATUS Status;
	HANDLE hProcessToken = NULL, hNewToken = NULL, hTest;
	BOOL bCond = FALSE;
	SHELLEXECUTEINFO shinfo;
	SID_IDENTIFIER_AUTHORITY MLAuthority = SECURITY_MANDATORY_LABEL_AUTHORITY;
	TOKEN_MANDATORY_LABEL tml, *ptml;
	PSID pIntegritySid = NULL;
	STARTUPINFO si;
	PROCESS_INFORMATION pi;

mq1n

void InstrumentationCallback(CONTEXT *context)
{
	TEB *teb = NtCurrentTeb();

	context->Rip = teb->InstrumentationCallbackPreviousPc;
	context->Rsp = teb->InstrumentationCallbackPreviousSp;
	context->Rcx = context->R10;

	// Prevent recursion
	if (!teb->InstrumentationCallbackDisabled) {

mq1n

// OverwolfEmulator.cpp : définit le point d'entrée pour l'application console.
//

#include "stdafx.h"
#include <Windows.h>
#include <stdint.h>

#define OVERLAY_MAGIC_NUMBER 0x00000005

struct OverlayMsgHeader {

mq1n

#include "stdafx.h"
#include "DbgHelpWrapper.h"


DbgHelpWrapper::DbgHelpWrapper() {
	hProcess = GetCurrentProcess();
}

DbgHelpWrapper::~DbgHelpWrapper() {
	DeinitializeDbgHelp();

mq1n

VOID DrvObjHide(_In_ PVOID Context) {
	// Wait the driver fully loaded
	NTSTATUS status = STATUS_SUCCESS;
	INT64    interval = 1000 * -10000i64;
	status = KeDelayExecutionThread(KernelMode,FALSE,(PLARGE_INTEGER)&interval);
	PDRIVER_OBJECT driver_object = (PDRIVER_OBJECT)Context;
	
	tMiProcessLoaderEntry fun = (tMiProcessLoaderEntry)FindMiProcessLoaderEntry();
	// MiProcessLoaderEntry will remove your driver from PsLoadedModuleList, and the patchguard moniting context.
	// So it won't trigger a BSOD

mq1n

rd /s /q Display.Optimus
rd /s /q Display.NView
rd /s /q GFExperience
rd /s /q GFExperience.NvStreamSrv
rd /s /q GfExperienceService
rd /s /q LEDVisualizer
rd /s /q Miracast.VirtualAudio
rd /s /q MS.NET
rd /s /q MSVCRT
rd /s /q Network.Service

mq1n

//
// Ref = src
// https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
//
// Credits:
//  Vyacheslav Rusakov @swwwolf
//  Tom Bonner @thomas_bonner
//

#include <Windows.h>

mq1n

// Original source link https://twitter.com/hFireF0X/status/887930221466443776
// If you are here from any other link - do know that they just steal original info without giving any credit to source
// This bug has been fixed in 16273 public build.
#include "global.h"

HINSTANCE  g_hInstance;
HANDLE     g_ConOut = NULL;
BOOL       g_ConsoleOutput = FALSE;
WCHAR      g_BE = 0xFEFF;

mq1n

#include "stdafx.h"

#define DB(_val_) __asm __emit (_val_)

#define INVALID_SYSCALL (DWORD)(-1)

// code selectors
#define CS_32   0x23
#define CS_64   0x33