On Friday May 12, 2017, version 2.0 of the WannaCry (WanaCry) Ransomware generated global interest due to infecting a number of systems in high profile government institutions across the globe including the NHS, Russian Interior Ministry, FedEx, the Russian Police, one of the largest cellphone operators in Russia (MegaFon), and the Frankfurt S-Bahn.
The malware authors added worm functionality to the Ransomware which enabled it to spread using the recently patched and rated ‘Critical’ MS17-010 vulnerability which allows it to propagate by sending “specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.” This vulnerability was made public in the recent Shadow Brokers leak of supposed NSA hacking tools on April 14, 2017, and is codenamed “EternalBlue.” The vulnerability was patched by Microsoft on March 14 of this year.
precisionsec analysts immediately began analysis and we were able to generate a packet capture of the malware scanning for additional hosts to infect over port 445. A few people have asked us via our Twitter account to share the packet capture (pcap) we generated on Friday showing the WannaCry 2.0 malware scanning port 445. Note that in this packet capture the DNS lookup to the killswitch domain www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com failed which initiated the SMB port 445 scan.
You can find the pcap file here.
WannaCry Indicators of Compromise (IOC’s) for analyzed sample:
md5: db349b97c37d22f5ea1d1841e3c89eb4
sha1: e889544aff85ffaf8b0d0da705105dee7c97fe26
sha256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
precisionsec analysts are constantly adding Ransomware Indicators of Compromise (IOC’s) such as WannaCry to our threat intelligence feed. Check out our Locky IOC Feed for the latest data.
