Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn't work - it only propagates.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Exploit details: https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html

Vulnerable/Not Vulnerable

To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).

The MS17-010 patch fixes the vulnerability.

  • Windows XP: Doesn't spread. If run manually, can encrypt files.
  • Windows 7,8,2008: can spread unpatched, can encrypt files.
  • Windows 10: Doesn't spread. Even though Windows 10 does have the faulty SMB driver.
  • Linux: Doesn't spread. If run manually with wine, can encrypt files.

Infections

Informative Tweets

Cryptography details

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • Each AES key is generated CryptGenRandom.
  • The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!

Bitcoin ransom addresses

3 addresses hard coded into the malware.

C&C centers

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Languages

All language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

File types

There are a number of files and folders wannacrypt will avoid. Some because it's entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:

  • "Content.IE5"
  • "Temporary Internet Files"
  • " This folder protects against ransomware. Modifying it will reduce protection"
  • "\Local Settings\Temp"
  • "\AppData\Local\Temp"
  • "\Program Files (x86)"
  • "\Program Files"
  • "\WINDOWS"
  • "\ProgramData"
  • "\Intel"
  • "$"

The filetypes it looks for to encrypt are:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

credit herulume, thanks for extracting this list from the binary.

more details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11

Some other interesting strings

credit: nulldot https://pastebin.com/0LrH05y2

Encrypted file format

typedef struct _wc_file_t {
    char     sig[WC_SIG_LEN]     // 64 bit signature WANACRY!
    uint32_t keylen;             // length of encrypted key
    uint8_t  key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
    uint32_t unknown;            // usually 3 or 4, unknown
    uint64_t datalen;            // length of file before encryption, obtained from GetFileSizeEx
    uint8_t *data;               // Ciphertext Encrypted data using AES-128 in CBC mode
} wc_file_t;

credit for reversing this file format info: cyg_x11.

Vulnerability disclosure

The specific vulnerability that it uses to propagate is ETERNALBLUE.

This was developed by "equation group" an exploit developer group associated with the NSA and leaked to the public by "the shadow brokers". Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.

@toxyl
Copy link

toxyl commented May 22, 2017

@marksteward How did you get the edit time and revisions? I had a look at the files, but all have fake dates for creation and modification time.
What's the added sentence in Chinese (Simplified)?
I wonder if we can safely assume that the amount of revisions tells us something about the language proficiency of the authors. So basically every revision 3 is a language translated with Google Translate and not further adjusted, i.e. the author may not be able to read that language. Those with few edits (version4) may be because of obvious mistakes in translation like words that were not translated. Higher revision counts then either had more fixes because of obvious translation errors or because the authors know that language and can correct translation errors properly.

@xaviergmail
Copy link

Any info on the .WNCRYT files recovered from ntfsundelete?
They don't seem to be encrypted at all, if this can be a ray of hope for someone else out there.

@dangerhacker
Copy link

iam need source wanaacry iam have wannacry.exe 2.0 but iam need source only to learn more

@efialtes
Copy link

@toxyl
Copy link

toxyl commented May 24, 2017

@dangerhacker toxyl.ddns.net/wcry - the results come with the decompiled C source

@marksteward
Copy link

marksteward commented May 25, 2017

@toxyl it's from the metadata in the translation files themselves - they're saved from Microsoft Word, so include various features you wouldn't usually see in an RTF file.

Additionally, now https://threatpost.com/wannacry-ransom-note-written-by-chinese-english-speaking-authors/125906/ is doing the rounds, here's the revision information from two earlier English-only versions, showing how they deliberately set their computer clock back in later versions to obscure the compile time (but without realising it affects this):

{ author Messi}{ operator Messi}{ creatim yr2017 mo3 dy4 hr13 min33}{ revtim yr2017 mo3 dy4 hr17 min37}{ version28}{ edmins156}
{ author Messi}{ operator Messi}{ creatim yr2017 mo3 dy4 hr13 min33}{ revtim yr2016 mo5 dy11 hr14 min40}{ version30}{ edmins157}

@toxyl
Copy link

toxyl commented May 29, 2017

@marksteward awesome, great work, didn't even consider to check that. What pieces of data are edmins156 and edmins157? A Google search only returns results for women's leather gloves which seem to be called edmins in Russian. Is it the number of minutes since the last edit?

@toxyl
Copy link

toxyl commented May 29, 2017

Does anyone know where the address 17MAZ6gLmKSARyzwxskDibunkranSomYcr belongs to? I've added it to my list of addresses associated with WanaCry, but I don't remember where I got it from. Unlike the three addresses used by WanaCry this one was created at 2017-05-16 01:50:26, so 4 days after the other accounts (2017-05-12: 13:08:21, 14:43:33 and 16:34:58) and it has this glaringly obvious string DibunkranSomYcr in it.

@marksteward
Copy link

Yeah, edmins is edit time in minutes; creatim and revtim are creation and revision time.

Another cover of the story saying Chinese is original rather than English https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/

@phantomxe
Copy link

How fast is the wannacrypt0r with all files like (200-250mb)? Did someone try it on virtual machine or real?

@booy92
Copy link

booy92 commented Jun 10, 2017

@phantomxe: fast. Didn't record or count it but infected a VM and it encrypted really fast. The decryption tool was also locked in no time. But needed to repartition and reinstall my laptop so don't have the VM anymore. But if you are interested I could infect it again and make a video to show the speed(won't be today, more likely wednesday or something)?

@phantomxe
Copy link

@booy92 yes, it's be good for me. 25 files get 200-250mb and 2-3 files get 1gb. Could you take a video with system specs and cpu disk monitoring?

@HazkArt
Copy link

HazkArt commented Aug 14, 2017

I want to analyze malware wannacry, petya, and locky but from where I can these three malware to be analyzed? Can you guys tell me ??

Sent from my OPPO F1f using FastHub

@FiecyLick
Copy link

FiecyLick commented Oct 29, 2017

Toxyl, 0x7E is a windows error or an operating system
#Learn

@jettsetq
Copy link

C2 for WannaCry is down?

@erickdi
Copy link

erickdi commented Jan 14, 2019

So a broken version of wannacry.

accelerator_get_status was renamed to opcache_get_status
Luxe Calendar

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment