@alk2git that's an interesting point, I didn't think about it from that perspective.
is there a reliable map or list of the countries that were hit by wannacry?
@kingex1124 thx
From @tunguyen6 post:
wanakiwi can decrypt WannaCrypted files. It finds prime numbers in RAM, and generates decryption key. Users must not restart their computers, otherwise they cannot get the prime numbers needed. Also this utility should be used ASAP before these numbers are lost.
It is based on wannakey which extracts the prime keys from RAM.
@Toxyl this doesn't seem like a sophisticated attack. ETERNALBLUE and its patch were available but authors tried leveraging the fact that most Windows systems will still be unpatched. This made the attack as effective as using a 0-day. They didn't use spam campaigns for initial vector or to spread further. As mentioned by @alk2git and @robre, the rasnsomware probably failed at implementing an anti* trick and pivoting mechanism for XP.
Nevertheless, it paid them being quick rather than spending time fixing bugs as the attack relates to NSA, ShadowBrokers and Microsoft.
Does anyone know the sample 7759ef6474c7b1781ed42b1e06dfcf7d2d07cb303610b8a80a48afc7ad838bc2, according to VirusTotal it contains an "audio/mpeg" PE resource.
@7h3rAm the exploits themselves are, but they're not the work of wannacry's authors.
not sure of how much use these payments will be, tho. the btc accounts are now under full scrutiny and no-one will want to have anything to do with them. so far they haven't even withdrawn anything from the version 1.0 account.
Could Lazarus Group be behind it? Interestingly North Korea didn't get any hits on Wcrypt Tracker.
@Toxyl North Korea doesn't have enough computer
@rain-1 if Lazarus Group really operates from N-Korea then there are computers around that can access resources outside. I would bet that the elite does have internet access. Slim infection chances indeed, so this would not prove anything, but it might be an indicator.
What I would find more interesting is to analyze the ransom notes. At least those written in the three languages I can read had a lot of mistakes. Theoretically the ransom note in the language of the authors should be the one that has the fewest grammar mistakes as a Google translation pretty much always adds more grammar mistakes and every now and then a very odd sounding sentence. And the original note could contain slang or regional dialect that might be a give away.
Btw, I've mapped the languages to a world map, taking into account where a language is spoken as native, official or regional language. What struck me is that they cover almost all countries, except for the Arab speaking world. Why do they exclude them?
@Toxyl from what I can tell, all translations were from the English version, using Google Translate almost entirely, except for the Chinese and Japanese. The Japanese looks like it's been fixed up using Google Translate's "Suggest an edit" because there's a difference between translating the full text and only parts of it (one of the differences was a grammatical error, but that's now disappeared). It also translates "bitcoin" as "bitcore" in one case. The Chinese (Simplified) is apparently a fluent translation of the English but with an added sentence, and Chinese (Traditional) is a Google Translation of that. Bulgarian, Croatian and Korean also differ slightly, but I don't know how significant those changes are. It seems likely to me that these people used English as a primary language for developing the malware, but have Chinese and some Japanese knowledge.
Here are the translations, sorted by last edit time https://pastebin.com/1s0WPk2y. Note that Chinese is the last one edited, and has the most revisions. Also note that for Czech and Danish, and then Bulgarian and Croatian, they've gone back and edited them slightly - all others are in alphabetic order.
@marksteward How did you get the edit time and revisions? I had a look at the files, but all have fake dates for creation and modification time.
What's the added sentence in Chinese (Simplified)?
I wonder if we can safely assume that the amount of revisions tells us something about the language proficiency of the authors. So basically every revision 3 is a language translated with Google Translate and not further adjusted, i.e. the author may not be able to read that language. Those with few edits (version4) may be because of obvious mistakes in translation like words that were not translated. Higher revision counts then either had more fixes because of obvious translation errors or because the authors know that language and can correct translation errors properly.
Any info on the .WNCRYT files recovered from ntfsundelete?
They don't seem to be encrypted at all, if this can be a ray of hope for someone else out there.
iam need source wanaacry iam have wannacry.exe 2.0 but iam need source only to learn more
@xaviergmail Did you looked at https://github.com/ElevenPaths/Telefonica-WannaCry-FileRestorer ?
@dangerhacker toxyl.ddns.net/wcry - the results come with the decompiled C source
@Toxyl it's from the metadata in the translation files themselves - they're saved from Microsoft Word, so include various features you wouldn't usually see in an RTF file.
Additionally, now https://threatpost.com/wannacry-ransom-note-written-by-chinese-english-speaking-authors/125906/ is doing the rounds, here's the revision information from two earlier English-only versions, showing how they deliberately set their computer clock back in later versions to obscure the compile time (but without realising it affects this):
{ author Messi}{ operator Messi}{ creatim yr2017 mo3 dy4 hr13 min33}{ revtim yr2017 mo3 dy4 hr17 min37}{ version28}{ edmins156}
{ author Messi}{ operator Messi}{ creatim yr2017 mo3 dy4 hr13 min33}{ revtim yr2016 mo5 dy11 hr14 min40}{ version30}{ edmins157}
@marksteward awesome, great work, didn't even consider to check that. What pieces of data are edmins156 and edmins157? A Google search only returns results for women's leather gloves which seem to be called edmins in Russian. Is it the number of minutes since the last edit?
Does anyone know where the address 17MAZ6gLmKSARyzwxskDibunkranSomYcr belongs to? I've added it to my list of addresses associated with WanaCry, but I don't remember where I got it from. Unlike the three addresses used by WanaCry this one was created at 2017-05-16 01:50:26, so 4 days after the other accounts (2017-05-12: 13:08:21, 14:43:33 and 16:34:58) and it has this glaringly obvious string DibunkranSomYcr in it.
Yeah, edmins is edit time in minutes; creatim and revtim are creation and revision time.
Another cover of the story saying Chinese is original rather than English https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/
How fast is the wannacrypt0r with all files like (200-250mb)? Did someone try it on virtual machine or real?
@phantomxe: fast. Didn't record or count it but infected a VM and it encrypted really fast. The decryption tool was also locked in no time. But needed to repartition and reinstall my laptop so don't have the VM anymore. But if you are interested I could infect it again and make a video to show the speed(won't be today, more likely wednesday or something)?
@booy92 yes, it's be good for me. 25 files get 200-250mb and 2-3 files get 1gb. Could you take a video with system specs and cpu disk monitoring?
I want to analyze malware wannacry, petya, and locky but from where I can these three malware to be analyzed? Can you guys tell me ??
Sent from my OPPO F1f using FastHub
Toxyl, 0x7E is a windows error or an operating system
#Learn
C2 for WannaCry is down?
So a broken version of wannacry.
accelerator_get_status was renamed to opcache_get_status
@rain-1
I finally got some samples of .wncyr files. By checking key length, looks like the AES-128 is ciphered as with .wncry files. So I was wondering which RSA pair is used for ciphering demo files.