Skip to content

Instantly share code, notes, and snippets.

@rain-1

rain-1/Wannacrypt0r-FACTSHEET.md

Forked from Epivalent/Wannacrypt0r-FACTSHEET.md
Last active May 5, 2022
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP

Revisions

  1. rain-1 revised this gist May 23, 2017. 1 changed file with 1 addition and 14 deletions.
    15 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -58,22 +58,9 @@ The MS17-010 patch fixes the vulnerability.
    * US radiology equipment https://twitter.com/Forbes/status/864850749225934852
    * More at https://en.wikipedia.org/wiki/WannaCry_cyber_attack#List_of_affected_organizations they seem to be cataloguing the infections faster/better.

    # Malware samples

    * hxxps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
    * hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
    * hxxps://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE (main dll)

    Binary blob in PE crypted with pass 'WNcry@2ol7', credits to ens!

    * parents https://pastebin.com/quvVH5hS (all known variants of the Wcry launcher containing eternalblue)
    * children https://pastebin.com/A2pxw49F (all variants of Wcry, the actual ransomware, being currently observed in the wild)

    essentially the full known catalogue of samples. credit to errantbot and @codexgigassys

    # Informative Tweets

    * Sample released by ens: https://twitter.com/the_ens/status/863055007842750465
    * Sample released by ens (thank you ens!): https://twitter.com/the_ens/status/863055007842750465
    * Onion C&Cs extracted: https://twitter.com/the_ens/status/863069021398339584
    * EternalBlue confirmed: https://twitter.com/kafeine/status/863049739583016960
    * Shell commands: https://twitter.com/laurilove/status/863065599919915010
  2. rain-1 revised this gist May 20, 2017. 1 changed file with 1 addition and 0 deletions.
    1 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -94,6 +94,7 @@ essentially the full known catalogue of samples. credit to errantbot and @codexg
    * keys in pem format: https://twitter.com/e55db081d05f58a/status/863109716456747008
    * neel points out a similarity with another virus https://twitter.com/neelmehta/status/864164081116225536
    * shadowbrokers talk about responsible disclosure https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition
    * another factsheet https://www.secureworks.com/research/wcry-ransomware-analysis

    # Cryptography details

  3. rain-1 revised this gist May 19, 2017. 1 changed file with 11 additions and 0 deletions.
    11 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -16,6 +16,17 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor

    Exploit details: https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html

    # Vulnerable/Not Vulnerable

    To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).

    The MS17-010 patch fixes the vulnerability.

    * Windows XP: Doesn't spread. If run manually, can encrypt files.
    * Windows 7,8,2008: can spread unpatched, can encrypt files.
    * Windows 10: Doesn't spread. Even though Windows 10 [does have the faulty SMB driver](http://www.infoworld.com/article/3196825/microsoft-windows/how-to-make-sure-your-windows-pc-wont-get-hit-by-ransomware-like-wannacrypt.html).
    * Linux: Doesn't spread. If run manually with wine, can encrypt files.

    # Infections

    * NHS (uk) turning away patients, unable to perform x-rays. ([list of affected hospitals](http://news.sky.com/story/nhs-cyberattack-full-list-of-organisations-affected-so-far-10874493))
  4. rain-1 revised this gist May 19, 2017. 1 changed file with 2 additions and 0 deletions.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -14,6 +14,8 @@ Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msr

    Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

    Exploit details: https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html

    # Infections

    * NHS (uk) turning away patients, unable to perform x-rays. ([list of affected hospitals](http://news.sky.com/story/nhs-cyberattack-full-list-of-organisations-affected-so-far-10874493))
  5. rain-1 revised this gist May 18, 2017. 1 changed file with 3 additions and 3 deletions.
    6 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -148,9 +148,9 @@ more details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11

    # Some other interesting strings

    BAYEGANSRV\administrator
    Smile465666SA
    wanna18@hotmail.com
    * BAYEGANSRV\administrator
    * Smile465666SA
    * wanna18@hotmail.com

    credit: nulldot https://pastebin.com/0LrH05y2

  6. rain-1 revised this gist May 17, 2017. 1 changed file with 1 addition and 0 deletions.
    1 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -42,6 +42,7 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245
    * STC telecom ([saudia arabia](https://twitter.com/iPhone_Supp/status/863735059819442177), [more](https://twitter.com/mhooh300/status/863734116142985216), [more](https://twitter.com/bynfck/status/863734011188854784))
    * [All ATMs in india closed](http://newsable.asianetnews.tv/india/over-2-lakh-atms-in-the-country-to-remain-closed-to-deal-with-cyberattack)
    * US radiology equipment https://twitter.com/Forbes/status/864850749225934852
    * More at https://en.wikipedia.org/wiki/WannaCry_cyber_attack#List_of_affected_organizations they seem to be cataloguing the infections faster/better.

    # Malware samples
  7. rain-1 revised this gist May 16, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -27,7 +27,7 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * Russian Railroads (RZD) https://twitter.com/vassgatov/status/863175723846176768
    * [Portugal Telecom](http://imgur.com/a/rR3b9)
    * Сбербанк - Sberbank Russia ([russia](https://twitter.com/discojournalist/status/863162464304865280))
    * Shaheen Airlines (india, [claimed on twitter](https://twitter.com/Beyhooda/status/863161471987068930))
    * Shaheen Airlines (pakistan, [claimed on twitter](https://twitter.com/Beyhooda/status/863161471987068930))
    * Train station in frankfurt ([germany](https://twitter.com/Nick_Lange_/status/863132237822394369))
    * Neustadt station ([germany](https://twitter.com/MedecineLibre/status/863139139138531328))
    * the entire network of German Rail seems to be affected ([@farbenstau](https://twitter.com/farbenstau/status/863166384834064384))
  8. rain-1 revised this gist May 16, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -27,7 +27,7 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * Russian Railroads (RZD) https://twitter.com/vassgatov/status/863175723846176768
    * [Portugal Telecom](http://imgur.com/a/rR3b9)
    * Сбербанк - Sberbank Russia ([russia](https://twitter.com/discojournalist/status/863162464304865280))
    * Shaheen Airlines (india, [https://twitter.com/Beyhooda/status/863161471987068930](claimed on twitter))
    * Shaheen Airlines (india, [claimed on twitter](https://twitter.com/Beyhooda/status/863161471987068930))
    * Train station in frankfurt ([germany](https://twitter.com/Nick_Lange_/status/863132237822394369))
    * Neustadt station ([germany](https://twitter.com/MedecineLibre/status/863139139138531328))
    * the entire network of German Rail seems to be affected ([@farbenstau](https://twitter.com/farbenstau/status/863166384834064384))
  9. rain-1 revised this gist May 16, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -27,7 +27,7 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * Russian Railroads (RZD) https://twitter.com/vassgatov/status/863175723846176768
    * [Portugal Telecom](http://imgur.com/a/rR3b9)
    * Сбербанк - Sberbank Russia ([russia](https://twitter.com/discojournalist/status/863162464304865280))
    * Shaheen Airlines (india, claimed on twitter)
    * Shaheen Airlines (india, [https://twitter.com/Beyhooda/status/863161471987068930](claimed on twitter))
    * Train station in frankfurt ([germany](https://twitter.com/Nick_Lange_/status/863132237822394369))
    * Neustadt station ([germany](https://twitter.com/MedecineLibre/status/863139139138531328))
    * the entire network of German Rail seems to be affected ([@farbenstau](https://twitter.com/farbenstau/status/863166384834064384))
  10. rain-1 revised this gist May 16, 2017. 1 changed file with 1 addition and 0 deletions.
    1 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -79,6 +79,7 @@ essentially the full known catalogue of samples. credit to errantbot and @codexg
    * Track the bitcoins: https://twitter.com/bl4sty/status/863143484919828481
    * keys in pem format: https://twitter.com/e55db081d05f58a/status/863109716456747008
    * neel points out a similarity with another virus https://twitter.com/neelmehta/status/864164081116225536
    * shadowbrokers talk about responsible disclosure https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition

    # Cryptography details

  11. rain-1 revised this gist May 16, 2017. 1 changed file with 1 addition and 0 deletions.
    1 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -78,6 +78,7 @@ essentially the full known catalogue of samples. credit to errantbot and @codexg
    * Claim of attrib [take with salt]: https://twitter.com/0xSpamTech/status/863058605473509378
    * Track the bitcoins: https://twitter.com/bl4sty/status/863143484919828481
    * keys in pem format: https://twitter.com/e55db081d05f58a/status/863109716456747008
    * neel points out a similarity with another virus https://twitter.com/neelmehta/status/864164081116225536

    # Cryptography details

  12. rain-1 revised this gist May 15, 2017. 1 changed file with 1 addition and 0 deletions.
    1 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -41,6 +41,7 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * ATMs in china https://twitter.com/95cnsec/status/863382193615159296
    * norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245
    * STC telecom ([saudia arabia](https://twitter.com/iPhone_Supp/status/863735059819442177), [more](https://twitter.com/mhooh300/status/863734116142985216), [more](https://twitter.com/bynfck/status/863734011188854784))
    * [All ATMs in india closed](http://newsable.asianetnews.tv/india/over-2-lakh-atms-in-the-country-to-remain-closed-to-deal-with-cyberattack)
    * More at https://en.wikipedia.org/wiki/WannaCry_cyber_attack#List_of_affected_organizations they seem to be cataloguing the infections faster/better.

    # Malware samples
  13. rain-1 revised this gist May 15, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -21,7 +21,7 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * Telefonica (spain) (https://twitter.com/SkyNews/status/863044193727389696)
    * power firm Iberdrola and Gas Natural ([spain](http://www.bbc.co.uk/news/technology-39901382))
    * FedEx (us) (https://twitter.com/jeancreed1/status/863089728253505539)
    * University of Waterloo ([us](https://twitter.com/amtinits))
    * University of Waterloo ([ontario canada](https://twitter.com/amtinits))
    * Russia interior ministry & Megafon (russia) https://twitter.com/dabazdyrev/status/863034199460261890/photo/1
    * VTB (russian bank) https://twitter.com/vassgatov/status/863175506790952962
    * Russian Railroads (RZD) https://twitter.com/vassgatov/status/863175723846176768
  14. rain-1 revised this gist May 15, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -83,7 +83,7 @@ essentially the full known catalogue of samples. credit to errantbot and @codexg
    * Each infection generates a new RSA-2048 keypair.
    * The public key is exported as blob and saved to 00000000.pky
    * The private key is encrypted with the ransomware public key and saved as 00000000.eky
    * Each file is encrypted using AES-128-ECB, with a unique AES key per file.
    * Each file is encrypted using AES-128-CBC, with a unique AES key per file.
    * Each AES key is generated CryptGenRandom.
    * The AES key is encrypted using the infection specific RSA keypair.

  15. rain-1 revised this gist May 15, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -83,7 +83,7 @@ essentially the full known catalogue of samples. credit to errantbot and @codexg
    * Each infection generates a new RSA-2048 keypair.
    * The public key is exported as blob and saved to 00000000.pky
    * The private key is encrypted with the ransomware public key and saved as 00000000.eky
    * Each file is encrypted using AES-128-CBC, with a unique AES key per file.
    * Each file is encrypted using AES-128-ECB, with a unique AES key per file.
    * Each AES key is generated CryptGenRandom.
    * The AES key is encrypted using the infection specific RSA keypair.

  16. rain-1 revised this gist May 15, 2017. 1 changed file with 9 additions and 7 deletions.
    16 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -153,15 +153,17 @@ credit: nulldot https://pastebin.com/0LrH05y2
    # Encrypted file format

    ```
    <64-bit SIGNATURE> - WANACRY!
    <length of encrypted key> - 256 for 2048-bit keys, cannot exceed 4096-bits
    <encrypted key> - 256 bytes if keys are 2048-bits
    <32-bit value> - unknown
    <64 bit file size> - return by GetFileSizeEx
    <encrypted data> - with custom AES-128 in CBC mode
    typedef struct _wc_file_t {
    char sig[WC_SIG_LEN] // 64 bit signature WANACRY!
    uint32_t keylen; // length of encrypted key
    uint8_t key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
    uint32_t unknown; // usually 3 or 4, unknown
    uint64_t datalen; // length of file before encryption, obtained from GetFileSizeEx
    uint8_t *data; // Ciphertext Encrypted data using AES-128 in CBC mode
    } wc_file_t;
    ```

    credit for reversing this file format info: cyg_x11
    credit for reversing this file format info: cyg_x11.

    # Vulnerability disclosure

  17. rain-1 revised this gist May 14, 2017. 1 changed file with 2 additions and 0 deletions.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -6,6 +6,8 @@
    * **Backdooring**: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
    * **Kill switch**: If the website `www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com` is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied ([source](https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/)).

    *update*: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn't work - it only propagates.

    SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

    Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
  18. rain-1 revised this gist May 14, 2017. 1 changed file with 0 additions and 1 deletion.
    1 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -39,7 +39,6 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * ATMs in china https://twitter.com/95cnsec/status/863382193615159296
    * norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245
    * STC telecom ([saudia arabia](https://twitter.com/iPhone_Supp/status/863735059819442177), [more](https://twitter.com/mhooh300/status/863734116142985216), [more](https://twitter.com/bynfck/status/863734011188854784))

    * More at https://en.wikipedia.org/wiki/WannaCry_cyber_attack#List_of_affected_organizations they seem to be cataloguing the infections faster/better.

    # Malware samples
  19. rain-1 revised this gist May 14, 2017. 1 changed file with 2 additions and 0 deletions.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -40,6 +40,8 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245
    * STC telecom ([saudia arabia](https://twitter.com/iPhone_Supp/status/863735059819442177), [more](https://twitter.com/mhooh300/status/863734116142985216), [more](https://twitter.com/bynfck/status/863734011188854784))

    * More at https://en.wikipedia.org/wiki/WannaCry_cyber_attack#List_of_affected_organizations they seem to be cataloguing the infections faster/better.

    # Malware samples

    * hxxps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
  20. rain-1 revised this gist May 14, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -4,7 +4,7 @@
    * **Vector**: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
    * **Ransom**: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
    * **Backdooring**: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
    * **Kill switch**: If the website `www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com` is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.
    * **Kill switch**: If the website `www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com` is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied ([source](https://blog.didierstevens.com/2017/05/13/quickpost-wcry-killswitch-check-is-not-proxy-aware/)).

    SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

  21. rain-1 revised this gist May 14, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -38,7 +38,7 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * A mall in singapore https://twitter.com/nkl0x55/status/863340271391580161
    * ATMs in china https://twitter.com/95cnsec/status/863382193615159296
    * norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245
    * STC telecom ([saudia arabia](https://twitter.com/iPhone_Supp/status/863735059819442177), [more](https://twitter.com/mhooh300/status/863734116142985216))
    * STC telecom ([saudia arabia](https://twitter.com/iPhone_Supp/status/863735059819442177), [more](https://twitter.com/mhooh300/status/863734116142985216), [more](https://twitter.com/bynfck/status/863734011188854784))

    # Malware samples

  22. rain-1 revised this gist May 14, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -38,7 +38,7 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * A mall in singapore https://twitter.com/nkl0x55/status/863340271391580161
    * ATMs in china https://twitter.com/95cnsec/status/863382193615159296
    * norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245
    * STC telecom ([saudia arabia](https://twitter.com/iPhone_Supp/status/863735059819442177))
    * STC telecom ([saudia arabia](https://twitter.com/iPhone_Supp/status/863735059819442177), [more](https://twitter.com/mhooh300/status/863734116142985216))

    # Malware samples

  23. rain-1 revised this gist May 14, 2017. 1 changed file with 1 addition and 0 deletions.
    1 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -38,6 +38,7 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * A mall in singapore https://twitter.com/nkl0x55/status/863340271391580161
    * ATMs in china https://twitter.com/95cnsec/status/863382193615159296
    * norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245
    * STC telecom ([saudia arabia](https://twitter.com/iPhone_Supp/status/863735059819442177))

    # Malware samples

  24. rain-1 revised this gist May 13, 2017. 1 changed file with 5 additions and 0 deletions.
    5 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -47,6 +47,11 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor

    Binary blob in PE crypted with pass 'WNcry@2ol7', credits to ens!

    * parents https://pastebin.com/quvVH5hS (all known variants of the Wcry launcher containing eternalblue)
    * children https://pastebin.com/A2pxw49F (all variants of Wcry, the actual ransomware, being currently observed in the wild)

    essentially the full known catalogue of samples. credit to errantbot and @codexgigassys

    # Informative Tweets

    * Sample released by ens: https://twitter.com/the_ens/status/863055007842750465
  25. rain-1 revised this gist May 13, 2017. 1 changed file with 17 additions and 1 deletion.
    18 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -111,12 +111,28 @@ m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czec

    # File types

    The filetypes it looks for to encrypt are
    There are a number of files and folders wannacrypt will avoid. Some because it's entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:

    * "Content.IE5"
    * "Temporary Internet Files"
    * " This folder protects against ransomware. Modifying it will reduce protection"
    * "\Local Settings\Temp"
    * "\AppData\Local\Temp"
    * "\Program Files (x86)"
    * "\Program Files"
    * "\WINDOWS"
    * "\ProgramData"
    * "\Intel"
    * "$\"

    The filetypes it looks for to encrypt are:

    .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

    credit herulume, thanks for extracting this list from the binary.

    more details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11

    # Some other interesting strings

    BAYEGANSRV\administrator
  26. rain-1 revised this gist May 13, 2017. 1 changed file with 0 additions and 1 deletion.
    1 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -68,7 +68,6 @@ Binary blob in PE crypted with pass 'WNcry@2ol7', credits to ens!
    * Claim of attrib [take with salt]: https://twitter.com/0xSpamTech/status/863058605473509378
    * Track the bitcoins: https://twitter.com/bl4sty/status/863143484919828481
    * keys in pem format: https://twitter.com/e55db081d05f58a/status/863109716456747008
    * new version (?): https://twitter.com/malwrhunterteam/status/851687635554848768

    # Cryptography details

  27. rain-1 revised this gist May 13, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -6,7 +6,6 @@
    * **Backdooring**: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
    * **Kill switch**: If the website `www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com` is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm.


    SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

    Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
    @@ -69,6 +68,7 @@ Binary blob in PE crypted with pass 'WNcry@2ol7', credits to ens!
    * Claim of attrib [take with salt]: https://twitter.com/0xSpamTech/status/863058605473509378
    * Track the bitcoins: https://twitter.com/bl4sty/status/863143484919828481
    * keys in pem format: https://twitter.com/e55db081d05f58a/status/863109716456747008
    * new version (?): https://twitter.com/malwrhunterteam/status/851687635554848768

    # Cryptography details

  28. rain-1 revised this gist May 13, 2017. 1 changed file with 1 addition and 0 deletions.
    1 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -38,6 +38,7 @@ Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-wor
    * University of Milano-Bicocca ([italy](http://milano.repubblica.it/cronaca/2017/05/12/news/milano_virus_ransomware_universita_bicocca-165302056/?ref=drnweb.repubblica.scroll-3))
    * A mall in singapore https://twitter.com/nkl0x55/status/863340271391580161
    * ATMs in china https://twitter.com/95cnsec/status/863382193615159296
    * norwegian soccer team ticket sales https://www.nrk.no/telemark/eliteserieklubber-rammet-av-internasjonalt-dataangrep-1.13515245

    # Malware samples

  29. rain-1 revised this gist May 13, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -1,4 +1,4 @@
    # WannaCry|WannaDecrypt0r NSA-Cybereweapon-Powered Ransomware Worm
    # WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

    * **Virus Name**: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
    * **Vector**: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  30. rain-1 revised this gist May 13, 2017. 1 changed file with 1 addition and 1 deletion.
    2 Wannacrypt0r-FACTSHEET.md
    View file
    @@ -80,7 +80,7 @@ Binary blob in PE crypted with pass 'WNcry@2ol7', credits to ens!

    The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

    * https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the aes keys)
    * https://haxx.in/key1.bin (the ransomware pubkey, used to encrypt the users private key)
    * https://haxx.in/key2.bin (the dll decryption privkey)
    the CryptImportKey() rsa key blob dumped from the DLL by blasty.