WanaCrypt0r 2.0

Forum for analysis and discussion about malware.
User avatar
Xylitol
Global Moderator
Posts: 1667
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

WanaCrypt0r 2.0

Post by Xylitol » Fri May 12, 2017 6:03 pm

What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS? ~ https://www.theguardian.com/technology/ ... crypt0r-20
Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage ~ https://www.bleepingcomputer.com/news/s ... a-rampage/
pwned ~ https://pbs.twimg.com/media/C_pfnkeXcAAm2ZB.jpg
CERT-FR ~ http://www.cert.ssi.gouv.fr/site/CERTFR ... index.html
Fox news ~ http://www.foxnews.com/tech/2017/05/12/ ... ppled.html

on bleepingcomputer:
"French security researcher Kafeine, who was the first to spot that Wana Decrypt0r triggered security alerts for ETERNALBLUE, an alleged NSA exploit"
mistake here according to twitter, someone at ccn-cert reported it in first.
https://twitter.com/kafeine/status/863049739583016960
https://twitter.com/siri_urz/status/863044639384842240

wanacryptor: https://www.virustotal.com/en/file/ed01 ... 494611403/
WeCry: https://www.virustotal.com/en/file/3e6d ... 494612021/
https://www.hybrid-analysis.com/sample/ ... 2-00002912
You do not have the required permissions to view the files attached to this post.

asianman6924
Posts: 1
Joined: Sun Apr 10, 2011 1:57 am

Re: WanaCrypt0r 2.0

Post by asianman6924 » Fri May 12, 2017 7:23 pm

The outbreak of this malware is crazy!
45,000 attacks in over 74 countries

https://twitter.com/craiu/status/863076786887852032

User avatar
Xylitol
Global Moderator
Posts: 1667
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Contact:

Re: WanaCrypt0r 2.0

Post by Xylitol » Fri May 12, 2017 7:54 pm

on WanaCrypt0r 2.0, it does a FindResourceA on ressource 'XIA', procedure at 00401DAB, it's a zip archive password protected with pw 'WNcry@2ol7' stuff is drop on the disk with procedure at 00401E41
0040732B |. FF15 34804000 CALL DWORD PTR DS:[<&KERNEL32.CreateFi>; \CreateFileA
createProcess at 004020E1 with attrib +h . and icacls . /grant Everyone:F /T /C /Q and memcpy at 004023A7 where you can see a PE header as buffer (a dll containing the cryptor part i suppose, haven't looked) https://www.virustotal.com/en/file/d062 ... 494620280/

target extensions (just assumption since i haven't looked, just hex viewed)

Code: Select all

.der
.pfx
.key
.crt
.csr
.p12
.pem
.odt
.ott
.sxw
.stw
.uot
.3ds
.max
.3dm
.ods
.ots
.sxc
.stc
.dif
.slk
.wb2
.odp
.otp
.sxd
.std
.uop
.odg
.otg
.sxm
.mml
.lay
.lay6
.asc
.sqlite3
.sqlitedb
.sql
.accdb
.mdb
.db
.dbf
.odb
.frm
.myd
.myi
.ibd
.mdf
.ldf
.sln
.suo
.cs
.c
.cpp
.pas
.h
.asm
.js
.cmd
.bat
.ps1
.vbs
.vb
.pl
.dip
.dch
.sch
.brd
.jsp
.php
.asp
.rb
.java
.jar
.class
.sh
.mp3
.wav
.swf
.fla
.wmv
.mpg
.vob
.mpeg
.asf
.avi
.mov
.mp4
.3gp
.mkv
.3g2
.flv
.wma
.mid
.m3u
.m4u
.djvu
.svg
.ai
.psd
.nef
.tiff
.tif
.cgm
.raw
.gif
.png
.bmp
.vcd
.iso
.backup
.zip
.rar
.7z
.gz
.tgz
.tar
.bak
.tbk
.bz2
.PAQ
.ARC
.aes
.gpg
.vmx
.vmdk
.vdi
.sldm
.sldx
.sti
.sxi
.602
.hwp
.edb
.potm
.potx
.ppam
.ppsx
.ppsm
.pps
.pot
.pptm
.xltm
.xltx
.xlc
.xlm
.xlt
.xlw
.xlsb
.xlsm
.dotx
.dotm
.dot
.docm
.docb
.jpg
.jpeg
.snt
.onetoc2
.dwg
.pdf
.wk1
.wks
.123
.rtf
.csv
.txt
.vsdx
.vsd
.eml
.msg
.ost
.pst
.pptx
.ppt
.xlsx
.xls
.docx
.doc
You do not have the required permissions to view the files attached to this post.

User avatar
maddog4012
Posts: 71
Joined: Mon Aug 04, 2014 6:53 pm

Re: WanaCrypt0r 2.0

Post by maddog4012 » Fri May 12, 2017 8:31 pm

here are a few more samples
You do not have the required permissions to view the files attached to this post.

v3rd1ct
Posts: 1
Joined: Sat May 13, 2017 3:44 am

Re: WanaCrypt0r 2.0

Post by v3rd1ct » Sat May 13, 2017 4:01 am

maddog, your included password is not working?

User avatar
Insid3Code
Posts: 4
Joined: Wed Aug 20, 2014 11:24 am
Contact:

Re: WanaCrypt0r 2.0

Post by Insid3Code » Sat May 13, 2017 10:10 am

v3rd1ct wrote:maddog, your included password is not working?
lowercase

sysopfb
Posts: 96
Joined: Thu Oct 23, 2014 1:22 am
Contact:

Re: WanaCrypt0r 2.0

Post by sysopfb » Sat May 13, 2017 10:31 pm

t.wnry file that is written has a header on top of 256 bytes that is decrypted using the RSA private key from the loader

That decrypts to a 16 byte AES key that can be used to then decrypt out a DLL from that same file in CBC mode with a 16 byte IV of NULL bytes.

f351e1fcca0c4ea05fc44d15a17f8b36 for the decrypted dll of the sample I looked at

FTL2000
Posts: 4
Joined: Mon Feb 22, 2016 3:15 am

Re: WanaCrypt0r 2.0

Post by FTL2000 » Sun May 14, 2017 5:12 pm

Have anyone took a look at (PKY, EKY, RES and others)? I found "RSA 1.1" string inside the PKY file, so I think it's something to do with RSA key...
Respective files are attached below (no live samples, only files mentioned above)
You do not have the required permissions to view the files attached to this post.

DJFelix
Posts: 1
Joined: Fri May 12, 2017 10:13 pm

Re: WanaCrypt0r 2.0

Post by DJFelix » Sun May 14, 2017 8:03 pm

The supposed RSA keys have been posted in this Pastebin: https://pastebin.com/SNBdGbJh

Has anyone been able to verify or test this?

benkow_
Posts: 84
Joined: Sat Jan 24, 2015 12:14 pm

Re: WanaCrypt0r 2.0

Post by benkow_ » Sun May 14, 2017 9:36 pm

Patched kill switch version

Code: Select all

http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com
https://www.virustotal.com/fr/file/32f2 ... /analysis/
You do not have the required permissions to view the files attached to this post.

Post Reply