On Friday May 12, 2017, version 2.0 of the WannaCry (WanaCry) Ransomware generated global interest due to infecting a number of systems in high profile government institutions across the globe including the NHS, Russian Interior Ministry, FedEx, the Russian Police, one of the largest cellphone operators in Russia (MegaFon), and the Frankfurt S-Bahn.
The malware authors added worm functionality to the Ransomware which enabled it to spread using the recently patched and rated ‘Critical’ MS17-010 vulnerability which allows it to propagate by sending “specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.” This vulnerability was made public in the recent Shadow Brokers leak of supposed NSA hacking tools on April 14, 2017, and is codenamed “EternalBlue.” The vulnerability was patched by Microsoft on March 14 of this year.
precisionsec analysts immediately began analysis and we were able to generate a packet capture of the malware scanning for additional hosts to infect over port 445. A few people have asked us via our Twitter account to share the packet capture (pcap) we generated on Friday showing the WannaCry 2.0 malware scanning port 445. Note that in this packet capture the DNS lookup to the killswitch domain www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com failed which initiated the SMB port 445 scan.
You can find the pcap file here.
WannaCry Indicators of Compromise (IOC’s) for analyzed sample: