WannaCry

8
Global rank
4
Month rank
3
Week rank
18897
IOCs

WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.

Ransomware
Type
Likely North Korea
Origin
12 May, 2017
First seen
3 June, 2023
Last seen
Also known as
WCry
WanaCryptor

How to analyze WannaCry with ANY.RUN

Ransomware
Type
Likely North Korea
Origin
12 May, 2017
First seen
3 June, 2023
Last seen

IOCs

IP addresses
192.168.100.32
23.202.231.167
13.248.148.254
76.223.26.96
173.239.8.164
192.168.100.132
192.168.100.124
192.168.100.121
192.168.100.116
192.168.100.138
192.168.100.44
192.168.100.9
192.168.100.69
192.168.100.167
104.17.244.81
104.16.173.80
173.239.5.6
192.168.100.155
50.63.202.62
192.168.100.190
Hashes
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
eed86ba53d4d84ceef045203667f3a4a4636948c36d4bb45ba8de5d69bf87778
91056a0f103ff508e788bf032c6043adf1c8b1267443377e58e1e00be8b8859b
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
38d7af01bdeac810cc6799237087e3aed70c2a66fefbf107d99134c978f5c9a1
cb11ca7f0afe82833d91792dc891a81088f1605c6cc029edecc21b4f433c0756
09ba59540b90eebf1e468503d9057b65c4d3f7b3ad229d2b144d8ea2ccd0a1e0
55bc52ead4c668b4dad978bebd80821a68eccd36b3927072a5d113cd5d79a27a
c94e6405266a5101501962b24eb1c43ad64e271eb3346e8889c610cec267eec2
ef95a048df895637c5aa94ca7f003fa3c435328c5486f9ffb11f8bf84194111f
9ba201420a6d13b90eff19a57c1306a896c633c990180e02b764c8f9cea047e0
9fb6be3792d4ff46412327b950347c0b6039b01c03a32cc9d43e705f391d3f2e
2669369c76cc7f03f64e68a2bd2bbfa0d4be9de6daba01e19866da9a7585b4d0
63b33117e4e0d472b2db30c2d27d03ee38a6bfad0df39c4de4c335eeacf8c808
40eb1c1126f819edb67e15fc9e8d4376a2b64fd4d93cd46fff73c173446aad42
776e3a59ee42e721b5c0020bdf456435fdee8e0596ef8d7a05653d9687067272
74d72f5f488bd3c2e28322c8997d44ac61ee3ccc49b7c42220472633af95c0c0
9f22c80e2fcfb99e09464439ebb781cb01a9bb8890bcb646880d1b22cae21e9b
Domains
njxyro.ddns.net
192-168-100-240.otmn.direct.quickconnect.to
192-168-100-240.otmn.direct.quickconnect.to
frederikkempe.com
majul.com
ww1.gmai.com
device-local-3193b8ff-0889-41c5-8fd6-67066f88b277.remotewd.com
r3.i.lencr.org
qxq.ddns.net
726512.parkingcrew.net
vcctggqm3t.dattolocal.net
lingaly.pl
jumpstart.store
blogutils.net
cl0udh0st1ng.com
www.20mbweb.com
www.simpleclick.us
whoistory.com
ato-aus-i.top
augov-uu.top
Last Seen at

Recent blog posts

recentPost
How to Create a Task in ANY.RUN:a Step-by-Ste...
watchers 307
comments 0
recentPost
ChatGPT for SOC and Malware Analysis professi...
watchers 5382
comments 0
recentPost
Deobfuscating the Latest GuLoader: Automating...
watchers 3236
comments 3

What is WCry ransomware?

WannaCry, sometimes also called WCry or WanaCryptor is ransomware malware, meaning that it encrypts files of its victims and demands a payment to restore the stolen information, usually in bitcoin with ransom amounts ranging from $300 to $600 equivalents.

The virus can be described as ransomware like Dharma or Ryuk but with worm functionality, since it is capable of spreading itself within infected networks using the EternalBlue exploit. Additionally, the virus uses DoublePulsar exploit to upload and execute a copy of itself to a new machine.

Once WannaCry makes its way into a target computer, it begins its malicious activity by checking for a hardcoded kill switch domain - either fferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com or iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. In the event, if one is found, the malware stops the execution. However, if a kill switch domain isn’t found, the ransomware encrypts files on the machine, following which an attempt to exploit the SMB vulnerability takes place. This is done in an effort to spread the virus over to other random PCs and all those connected to a local network. After encryption is completed, a ransom note is displayed to the user and the attackers demand $300 to be paid in a 3-day timespan. If the victim resists the ransom amount rises to $600 to be paid in 7 days. The payments are directed to multiple hardcoded bitcoin addresses. Typical for a cryptocurrency, anybody can check their balances and transaction history but the true owner of such a wallet can not be traced.

General description of WannaCry

The first time WannaCry malware was seen in the wild was as a part of a devastating worldwide attack that took place in May 2017. The attack utilized an EternalBlue exploit, which was believed to have been developed by the American NSA and leaked by a cybergang known under the allies “The Shadow Brokers”.

The exploit leveraged a vulnerability in the Windows operating systems and while a patch fixing the issue was released quickly by the company, many individuals and organizations who didn’t promptly update their computers became victims of this attack.

By some broad estimations, over 200,000 computers worldwide were infected by WannaCry within those few days that the attack was ongoing. A fix of the EternalBlue exploit along with the discovery of the “kill switch” that allowed to stop the execution of the malware were the two main contributions that helped to slow down this malicious campaign. However, by the time the attack came to an end total damage amounted to billions of dollars, and victims from over 150 countries were affected.

A campaign of such scale raised international investigation of the highest level aimed to find out who was behind the outbreak. During WannaCry analysis experts investigated the ransom notes to find out that they were most likely written by hand and the writers seemed to be fluent in Chinese and English, as was suggested by the linguistics analysis. Further investigation suggested that the native language of the writer was Chinese since two versions of ransom note were composed in this language - one in Simplified and one in Traditional Chinese. Furthermore, some typos in the notes lead researchers to believe that a Chinese input system was used for typing, as mistakes like those present could not have been easily made using any other form of input.

Use ANY.RUN free for 14 days

Try the full power of interactive analysis

Start your free trial

It should be noted, that in total the ransom note was written in 28 languages including both Chinese variations. However, for most of those languages, a machine translation was used.

The FBI then uncovered that Hangul fonts were installed on the machine that was used to compose the ransom notes. Hangul is an alphabet and a writing system used in the South as well as in North Korea. Further analysis of the language files metadata displayed that the computer was set to a Korean Timezone.

Upon further WannaCry analysis, security researchers from Google, Kaspersky Lab, and Symantec concluded that the code of WCry exhibited similarities to other malware used in the attacks against Sony Pictures and a Bangladesh bank. Those attacks were carried out by a so-called Lazarus Group, members of which were linked to North Korea.

Of course, this evidence was not conclusive as other groups could have simply reused some of the code produced by the Lazarus Group. What’s more, the use of such code could have been intentional in order to mislead the investigators and put the blame on other cybercriminals.

However, a liked memo from NSA as well as findings made by UK's National Cyber Security Centre also pointed at North Korea as the country from which the attack originated. The United States Government subsequently proceeded to formally declare North Korea to be the attack origin.

In foresight, despite the fact that the WannaCry attack had a truly unprecedented scale, its impact is considered relatively low, compared to other ransomware. The aftermath could have been much worse if it was not for the discovery of the kill switch. Furthermore, the virus could have been targeted at high-level infrastructures like transport control systems and nuclear power plants. Had this been the case, some experts estimate possible losses in excess of hundreds of millions of dollars.

Talking about the actual WannaCry analysis - it comes in the form of a dropper that holds various components as a ZIP archive which is protected by a password. This archive is being unpacked during the execution using a hardcoded password and dropped into a directory from which it was executed.

WCry ransomware uses two encryption methods during its execution: RSA and AES-128-CBC. To confuse the researchers the encryption scenario that is contained in a t.wnry file is actually encrypted in exactly the same way that the malware uses to encrypt data on an infected machine. A custom loader is used to load the module into memory, so the unencrypted version of the file never has to be recorded on the victim’s hard drive.

Upon the start of the execution process, the malware uses an RSA key to unpack the t.wnry file and decrypt it. Then a new RSA key will be generated and sent to a C&C server, while a duplicate of a public key is being saved on the infected machine.

This is where the malware starts to encrypt files – the virus searches the infected machine for files with supported extensions. Then, a 128 bit AES key is created per every single file that was selected for encryption and encrypted using the RSA key created earlier. RSA-encrypted AES key is placed in a header of an encrypted file. After this, the malware uses the AES key to encrypt data in the file.

The encryption is performed in such a way that it is virtually impossible to restore the lost data without access to the private key, that is stored in the control server. This means that for a victim the only way to regain access to their information is to fulfill the ransom demand, made by the attackers.

For persistence, WCry writes itself in the autorun keys in the registry and creates a couple of services.

WannaCry malware analysis

A video simulation recorded on ANY.RUN allows us to examine the lifecycle of WannaCry.

wannacry execution process graph

Figure 1: Process graph generated by ANY.RUN allows us to see the main processes of Dridex execution.

text report of the wannacry analysis

Figure 2: Displays the customizable text report generated by ANY.RUN.

How does WCry infect?

Besides being distributed by malicious spam campaigns, ransomware uses a more interesting way to infect devices - it utilizes an operating system vulnerability as the initial attack vector. Once the malware successfully leverages an exploit and makes its way into a machine, it will scan the IP addresses in an attempt to infect connected devices through the SMB vulnerability on port 445/TCP. This vulnerability has CVE ID 2017-0144 and is also known as MS17-010 EternalBlue.

All devices in a local network exhibiting potential vulnerability will also be infected.

WannaCry ransomware execution process

First of all, after running, WCry sends an HTTP GET request to hardcoded domains and stops execution if the request is successful. Although the WannaCry execution process is pretty straightforward, it does not just encrypt files on the infected machine, but it's also trying to infect as many nearby machines as it can. To do so, the ransomware scans all machines with port 445 being open and if the connection is made, tries to exploit the SMBv1 vulnerability (EternalBlue). On the local system, WannaCry executable file extracts and installs binary and configuration files from its resource section. It also hides the extracted directory, modifies security descriptors, creates an encryption key, deletes shadow copies, and so on. After all these steps, WannaCry encrypts the files of the user and sets the wallpaper to a ransom note. In addition, a @[email protected] executable file is being started to provide information about the countdown and payment method to a victim.

workstation desktop after wannacry infection

Figure 3: A Desktop of a system infected by WannaCry

Prevention of WCry attacks

In order to prevent potential WannaCry attacks, users should install security patches created by Microsoft in response to the original incident. Today, early versions of WCry won't work because their killswitch is still active.

The patch code for this security update is MS-17-010 and the update is available even for Windows XP; it was the first update to this operating system issued by Microsoft in 3 years.

How to get more WannyCry ransomware data using ANY.RUN?

Since crooks behind WCry offer decryption of three images for free you can use the interactivity of ANY.RUN to take additional steps in your analysis. Open the website specified in a ransom note in the browser and follow all steps to decrypt images to get a bigger picture of a ransomware infection process.

wannacry ransom note Figure 4: Wannacry ransom note

Conclusion

WannaCry is undoubtedly one of the most destructive malware ever used by cyberattacks. The first malicious campaign utilizing this dangerous virus had a truly unprecedented scale.

Thankfully, due to outstanding work done by cybersecurity professionals, the attack was contained in just a few days by finding an effective kill switch and patching the vulnerability in the Microsoft operating systems that the ransomware was targeting. However, even despite such quick reaction times made by cybersecurity professionals all around the world, billions of dollars were lost by victims all across the world.

To prevent devastating cyber attacks such as the one performed using the WCry virus, researchers should learn as much as possible about the existing malware samples and analyze their code. This task is greatly simplified with the use of interactive sandboxes like ANY.RUN, which allows users to influence the simulation in real-time in order to get the best results.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy