Analysis of Wana Decrypt0r 2.0 cipher

Specialists from T & T Security and Pentestit made an analysis of the coder Wana Decrypt0r 2.0 to identify the functionality, analyze the behavior and methods of spreading malware.

Wanna Decrypt0r distributed via SMB is the second version of Wanna Cry that was distributed in more classical ways (phishing), so it has an index of 2.0. At the moment there are at least three branches of the encrypter: phishing (first), killwitch (first wave), no kilwitcher (released just a few hours ago). As of 22:00 05/14/2017 , the second and third variants of the malware were found, including those without the killer switcher.

Statistics

Infections:

At the moment (19:00 GMT + 3) 236,648 cars are infected (most likely tomorrow this figure will increase significantly). Although the manager (or rather, the one responsible for the distribution) managed to tinker away, it’s wrong to judge the number of infections by “batch” to this domain. Some infected machines may be behind NAT or disconnected from the global network.

Payments:

Decryption redemption are listed on three Bitcoin wallet:

• 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn: 4.33279223 BTC - $ 7799
• 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94: 6.00472753 BTC - $ 10808
• 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw: 8.78127705 BTC - $ 15806

Command centers:

• gx7ekbenv2riucmf.onion
• 57g7spgrzlojinas.onion
• xxlvbrloxvriy2c5.onion
• 76jdd2ir2embyv47.onion
• cwwnhwhlz52maqm7.onion

Supported languages:

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

:

, , , , :

00:34 < nulldot> 0x1000ef48, 24, BAYEGANSRV\administrator
00:34 < nulldot> 0x1000ef7a, 13, Smile465666SA
00:34 < nulldot> 0x1000efc0, 19, wanna18@hotmail.com
00:34 < nulldot> 0x1000eff2, 34, 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY
00:34 < nulldot> 0x1000f024, 22, sqjolphimrr7jqw6.onion
00:34 < nulldot> 0x1000f088, 52, https://www.dropbox.com/s/deh8s52zazlyy94/t.zip?dl=1
00:34 < nulldot> 0x1000f0ec, 67, https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
00:34 < nulldot> 0x1000f150, 52, https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1
00:34 < nulldot> 0x1000f1b4, 12, 00000000.eky
00:34 < nulldot> 0x1000f270, 12, 00000000.pky
00:34 < nulldot> 0x1000f2a4, 12, 00000000.res

Killswitch :

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. .

:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

:

2048- RSA. .

:

MS17-010 SMBv1. , , Windows, Vista, , Microsoft — Windows XP.
 

 

ETERNALBLUE , "" ShadowBrokers. : DoublePulsar , ETERNALBLUE.
 

 
, .
 

 
445 — 3 :

tLab, . , . , . — , T&T Security.

T&T Security 2013 , . 10 . - .

2017 T&T Security tLab , . tLab SOC-, .

:

№1
SHA256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

№2
SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

tLab - ( 100%), (85% ) — ( ). tLab. / , , , - .. .

(), , , -. . , , - .

 
, 100 -. , , . IP- . 90 . - ( ), . .

— .
 

. SMBv1, IP- 445 (SMB). 20 60 000 IP- . , , .
 

 
Tor. 443, 9101, 9102 IP-, Tor. :

• 85.248.227.164:9002
• 194.109.206.212:443
• 217.79.190.25:9090
• 204.11.50.131:9001
• 95.183.48.12:443
• 171.25.193.9:80
• 195.154.164.243:443
• 131.188.40.189:443
• 5.9.159.14:9001
• 199.254.238.52:443
• 178.16.208.57:443
• 128.31.0.39:9101
• 154.35.175.225:443
• 163.172.35.247:443

, Tor. , ": " . Tor 7 000.

, , “tasksche.exe”, . , (“reg.exe”) , :

cmd.exe /c reg add hklm\software\microsoft\windows\currentversion\run /v "abzyckxcqecwnu394" /t reg_sz /d "\"c:\intel\abzyckxcqecwnu394\tasksche.exe\""

-, .
 

 
№1 "" :

c:\documents and settings\48=8ab@0b@\desktop\mapkep.bin
c:\intel\abzyckxcqecwnu394\tasksche.exe

, .
 

 
“tasksche.exe” “@wanadecryptor@.exe” , , , . WNcry@2ol7.

@wanadecryptor@.exe

c:\intel\abzyckxcqecwnu394\@wanadecryptor@.exe
c:\@wanadecryptor@.exe
c:\docs\@wanadecryptor@.exe
c:\docs\docs\@wanadecryptor@.exe
c:\documents and settings\default user\(01;=k\@wanadecryptor@.exe
c:\documents and settings\48=8ab@0b@\cookies\@wanadecryptor@.exe
c:\documents and settings\48=8ab@0b@\(01;=k\@wanadecryptor@.exe
c:\documents and settings\;l720b5;l\(01;=k\@wanadecryptor@.exe
c:\programms\@wanadecryptor@.exe
c:\programms\totalcmd\@wanadecryptor@.exe
c:\system volume information\_restore{1a1e1895-7822-43e9-a55a-8d2dc8b2dc2d}\@wanadecryptor@.exe
c:\system volume information\_restore{1a1e1895-7822-43e9-a55a-8d2dc8b2dc2d}\rp1\@wanadecryptor@.exe
c:\system volume information\_restore{1a1e1895-7822-43e9-a55a-8d2dc8b2dc2d}\rp2\@wanadecryptor@.exe
c:\system volume information\_restore{1a1e1895-7822-43e9-a55a-8d2dc8b2dc2d}\rp3\@wanadecryptor@.exe
c:\system volume information\_restore{1a1e1895-7822-43e9-a55a-8d2dc8b2dc2d}\rp4\@wanadecryptor@.exe
c:\temp\screener\@wanadecryptor@.exe
c:\documents and settings\all users\ 01g89 ab;\@wanadecryptor@.exe
c:\documents and settings\48=8ab@0b@\ 01g89 ab;\@wanadecryptor@.exe
c:\documents and settings\;l720b5;l\ 01g89 ab;\@wanadecryptor@.exe

.
 

 
“@wanadecryptor@.exe” Tor- “c:\intel\abzyckxcqecwnu394\taskdata\tor\taskhsvc.exe”.

c:\intel\abzyckxcqecwnu394\taskdata\tor\libeay32.dll                    
c:\intel\abzyckxcqecwnu394\taskdata\tor\libevent-2-0-5.dll                  
c:\intel\abzyckxcqecwnu394\taskdata\tor\libevent_core-2-0-5.dll             
c:\intel\abzyckxcqecwnu394\taskdata\tor\libevent_extra-2-0-5.dll                
c:\intel\abzyckxcqecwnu394\taskdata\tor\libgcc_s_sjlj-1.dll                 
c:\intel\abzyckxcqecwnu394\taskdata\tor\libssp-0.dll                        
c:\intel\abzyckxcqecwnu394\taskdata\tor\ssleay32.dll                    
c:\intel\abzyckxcqecwnu394\taskdata\tor\tor.exe                     
c:\intel\abzyckxcqecwnu394\taskdata\tor\zlib1.dll                       
c:\intel\abzyckxcqecwnu394\\taskdata\tor\taskhsvc.exe                   
c:\temp\screener\newwindows\@wanadecryptor@.exe                                 

, Windows:

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

, .

, , , -. , - (), TOR , . , , , .
 

 
. IOC (index of compromise, ).

, , , , , .

. , , . , , .

Pentestit Secuirty Conference , .