Skip to content

Instantly share code, notes, and snippets.

@rain-1
Forked from Epivalent/Wannacrypt0r-FACTSHEET.md
Last active March 10, 2024 11:03
Star You must be signed in to star a gist
Save rain-1/989428fa5504f378b993ee6efbc0b168 to your computer and use it in GitHub Desktop.

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn't work - it only propagates.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Exploit details: https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html

Vulnerable/Not Vulnerable

To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).

The MS17-010 patch fixes the vulnerability.

  • Windows XP: Doesn't spread. If run manually, can encrypt files.
  • Windows 7,8,2008: can spread unpatched, can encrypt files.
  • Windows 10: Doesn't spread. Even though Windows 10 does have the faulty SMB driver.
  • Linux: Doesn't spread. If run manually with wine, can encrypt files.

Infections

Informative Tweets

Cryptography details

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • Each AES key is generated CryptGenRandom.
  • The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!

Bitcoin ransom addresses

3 addresses hard coded into the malware.

C&C centers

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Languages

All language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

File types

There are a number of files and folders wannacrypt will avoid. Some because it's entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:

  • "Content.IE5"
  • "Temporary Internet Files"
  • " This folder protects against ransomware. Modifying it will reduce protection"
  • "\Local Settings\Temp"
  • "\AppData\Local\Temp"
  • "\Program Files (x86)"
  • "\Program Files"
  • "\WINDOWS"
  • "\ProgramData"
  • "\Intel"
  • "$"

The filetypes it looks for to encrypt are:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

credit herulume, thanks for extracting this list from the binary.

more details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11

Some other interesting strings

credit: nulldot https://pastebin.com/0LrH05y2

Encrypted file format

typedef struct _wc_file_t {
    char     sig[WC_SIG_LEN]     // 64 bit signature WANACRY!
    uint32_t keylen;             // length of encrypted key
    uint8_t  key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
    uint32_t unknown;            // usually 3 or 4, unknown
    uint64_t datalen;            // length of file before encryption, obtained from GetFileSizeEx
    uint8_t *data;               // Ciphertext Encrypted data using AES-128 in CBC mode
} wc_file_t;

credit for reversing this file format info: cyg_x11.

Vulnerability disclosure

The specific vulnerability that it uses to propagate is ETERNALBLUE.

This was developed by "equation group" an exploit developer group associated with the NSA and leaked to the public by "the shadow brokers". Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.

@toxyl
Copy link

toxyl commented May 19, 2017

@alk2git that's an interesting point, I didn't think about it from that perspective.

@toxyl
Copy link

toxyl commented May 19, 2017

is there a reliable map or list of the countries that were hit by wannacry?

@toxyl
Copy link

toxyl commented May 19, 2017

@sickick
Copy link

sickick commented May 19, 2017

From @Tunguyen6 post:
wanakiwi can decrypt WannaCrypted files. It finds prime numbers in RAM, and generates decryption key. Users must not restart their computers, otherwise they cannot get the prime numbers needed. Also this utility should be used ASAP before these numbers are lost.

It is based on wannakey which extracts the prime keys from RAM.

@7h3rAm
Copy link

7h3rAm commented May 19, 2017

@toxyl this doesn't seem like a sophisticated attack. ETERNALBLUE and its patch were available but authors tried leveraging the fact that most Windows systems will still be unpatched. This made the attack as effective as using a 0-day. They didn't use spam campaigns for initial vector or to spread further. As mentioned by @alk2git and @robre, the rasnsomware probably failed at implementing an anti* trick and pivoting mechanism for XP.

Nevertheless, it paid them being quick rather than spending time fixing bugs as the attack relates to NSA, ShadowBrokers and Microsoft.

@toxyl
Copy link

toxyl commented May 19, 2017

Does anyone know the sample 7759ef6474c7b1781ed42b1e06dfcf7d2d07cb303610b8a80a48afc7ad838bc2, according to VirusTotal it contains an "audio/mpeg" PE resource.

@toxyl
Copy link

toxyl commented May 20, 2017

@7h3rAm the exploits themselves are, but they're not the work of wannacry's authors.

not sure of how much use these payments will be, tho. the btc accounts are now under full scrutiny and no-one will want to have anything to do with them. so far they haven't even withdrawn anything from the version 1.0 account.

@toxyl
Copy link

toxyl commented May 20, 2017

Could Lazarus Group be behind it? Interestingly North Korea didn't get any hits on Wcrypt Tracker.

@rain-1
Copy link
Author

rain-1 commented May 20, 2017

@toxyl North Korea doesn't have enough computer

@toxyl
Copy link

toxyl commented May 20, 2017

@rain-1 if Lazarus Group really operates from N-Korea then there are computers around that can access resources outside. I would bet that the elite does have internet access. Slim infection chances indeed, so this would not prove anything, but it might be an indicator.

What I would find more interesting is to analyze the ransom notes. At least those written in the three languages I can read had a lot of mistakes. Theoretically the ransom note in the language of the authors should be the one that has the fewest grammar mistakes as a Google translation pretty much always adds more grammar mistakes and every now and then a very odd sounding sentence. And the original note could contain slang or regional dialect that might be a give away.

Btw, I've mapped the languages to a world map, taking into account where a language is spoken as native, official or regional language. What struck me is that they cover almost all countries, except for the Arab speaking world. Why do they exclude them?

@marksteward
Copy link

marksteward commented May 20, 2017

@toxyl from what I can tell, all translations were from the English version, using Google Translate almost entirely, except for the Chinese and Japanese. The Japanese looks like it's been fixed up using Google Translate's "Suggest an edit" because there's a difference between translating the full text and only parts of it (one of the differences was a grammatical error, but that's now disappeared). It also translates "bitcoin" as "bitcore" in one case. The Chinese (Simplified) is apparently a fluent translation of the English but with an added sentence, and Chinese (Traditional) is a Google Translation of that. Bulgarian, Croatian and Korean also differ slightly, but I don't know how significant those changes are. It seems likely to me that these people used English as a primary language for developing the malware, but have Chinese and some Japanese knowledge.

Here are the translations, sorted by last edit time https://pastebin.com/1s0WPk2y. Note that Chinese is the last one edited, and has the most revisions. Also note that for Czech and Danish, and then Bulgarian and Croatian, they've gone back and edited them slightly - all others are in alphabetic order.

@toxyl
Copy link

toxyl commented May 22, 2017

@marksteward How did you get the edit time and revisions? I had a look at the files, but all have fake dates for creation and modification time.
What's the added sentence in Chinese (Simplified)?
I wonder if we can safely assume that the amount of revisions tells us something about the language proficiency of the authors. So basically every revision 3 is a language translated with Google Translate and not further adjusted, i.e. the author may not be able to read that language. Those with few edits (version4) may be because of obvious mistakes in translation like words that were not translated. Higher revision counts then either had more fixes because of obvious translation errors or because the authors know that language and can correct translation errors properly.

@xaviergmail
Copy link

Any info on the .WNCRYT files recovered from ntfsundelete?
They don't seem to be encrypted at all, if this can be a ray of hope for someone else out there.

@dangerhacker
Copy link

iam need source wanaacry iam have wannacry.exe 2.0 but iam need source only to learn more

@efialtes
Copy link

@toxyl
Copy link

toxyl commented May 24, 2017

@dangerhacker toxyl.ddns.net/wcry - the results come with the decompiled C source

@marksteward
Copy link

marksteward commented May 25, 2017

@toxyl it's from the metadata in the translation files themselves - they're saved from Microsoft Word, so include various features you wouldn't usually see in an RTF file.

Additionally, now https://threatpost.com/wannacry-ransom-note-written-by-chinese-english-speaking-authors/125906/ is doing the rounds, here's the revision information from two earlier English-only versions, showing how they deliberately set their computer clock back in later versions to obscure the compile time (but without realising it affects this):

{ author Messi}{ operator Messi}{ creatim yr2017 mo3 dy4 hr13 min33}{ revtim yr2017 mo3 dy4 hr17 min37}{ version28}{ edmins156}
{ author Messi}{ operator Messi}{ creatim yr2017 mo3 dy4 hr13 min33}{ revtim yr2016 mo5 dy11 hr14 min40}{ version30}{ edmins157}

@toxyl
Copy link

toxyl commented May 29, 2017

@marksteward awesome, great work, didn't even consider to check that. What pieces of data are edmins156 and edmins157? A Google search only returns results for women's leather gloves which seem to be called edmins in Russian. Is it the number of minutes since the last edit?

@toxyl
Copy link

toxyl commented May 29, 2017

Does anyone know where the address 17MAZ6gLmKSARyzwxskDibunkranSomYcr belongs to? I've added it to my list of addresses associated with WanaCry, but I don't remember where I got it from. Unlike the three addresses used by WanaCry this one was created at 2017-05-16 01:50:26, so 4 days after the other accounts (2017-05-12: 13:08:21, 14:43:33 and 16:34:58) and it has this glaringly obvious string DibunkranSomYcr in it.

@marksteward
Copy link

Yeah, edmins is edit time in minutes; creatim and revtim are creation and revision time.

Another cover of the story saying Chinese is original rather than English https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/

@phantomxe
Copy link

How fast is the wannacrypt0r with all files like (200-250mb)? Did someone try it on virtual machine or real?

@booy92
Copy link

booy92 commented Jun 10, 2017

@phantomxe: fast. Didn't record or count it but infected a VM and it encrypted really fast. The decryption tool was also locked in no time. But needed to repartition and reinstall my laptop so don't have the VM anymore. But if you are interested I could infect it again and make a video to show the speed(won't be today, more likely wednesday or something)?

@phantomxe
Copy link

@booy92 yes, it's be good for me. 25 files get 200-250mb and 2-3 files get 1gb. Could you take a video with system specs and cpu disk monitoring?

@HazkArt
Copy link

HazkArt commented Aug 14, 2017

I want to analyze malware wannacry, petya, and locky but from where I can these three malware to be analyzed? Can you guys tell me ??

Sent from my OPPO F1f using FastHub

@FiecyLick
Copy link

FiecyLick commented Oct 29, 2017

Toxyl, 0x7E is a windows error or an operating system
#Learn

@jettsetq
Copy link

C2 for WannaCry is down?

@erickdi
Copy link

erickdi commented Jan 14, 2019

So a broken version of wannacry.

accelerator_get_status was renamed to opcache_get_status
Luxe Calendar

@Msha3ry2522
Copy link

Msha3ry2522 commented Oct 17, 2023

A beautiful presentation. Thank you for what you wrote. I am also happy to share with you the site شرح and I am a follower of the sites you have added.. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment