WanaCrypt0r 2.0

Forum for analysis and discussion about malware.

WanaCrypt0r 2.0

Postby Xylitol » Fri May 12, 2017 6:03 pm

What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS? ~ https://www.theguardian.com/technology/ ... crypt0r-20
Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage ~ https://www.bleepingcomputer.com/news/s ... a-rampage/
pwned ~ https://pbs.twimg.com/media/C_pfnkeXcAAm2ZB.jpg
CERT-FR ~ http://www.cert.ssi.gouv.fr/site/CERTFR ... index.html
Fox news ~ http://www.foxnews.com/tech/2017/05/12/ ... ppled.html

on bleepingcomputer:
"French security researcher Kafeine, who was the first to spot that Wana Decrypt0r triggered security alerts for ETERNALBLUE, an alleged NSA exploit"
mistake here according to twitter, someone at ccn-cert reported it in first.
https://twitter.com/kafeine/status/863049739583016960
https://twitter.com/siri_urz/status/863044639384842240

wanacryptor: https://www.virustotal.com/en/file/ed01 ... 494611403/
WeCry: https://www.virustotal.com/en/file/3e6d ... 494612021/
https://www.hybrid-analysis.com/sample/ ... 2-00002912
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: WanaCrypt0r 2.0

Postby asianman6924 » Fri May 12, 2017 7:23 pm

The outbreak of this malware is crazy!
45,000 attacks in over 74 countries

https://twitter.com/craiu/status/863076786887852032
asianman6924
 
Posts: 1
Joined: Sun Apr 10, 2011 1:57 am
Reputation point: 0

Re: WanaCrypt0r 2.0

Postby Xylitol » Fri May 12, 2017 7:54 pm

on WanaCrypt0r 2.0, it does a FindResourceA on ressource 'XIA', procedure at 00401DAB, it's a zip archive password protected with pw 'WNcry@2ol7' stuff is drop on the disk with procedure at 00401E41
0040732B |. FF15 34804000 CALL DWORD PTR DS:[<&KERNEL32.CreateFi>; \CreateFileA
createProcess at 004020E1 with attrib +h . and icacls . /grant Everyone:F /T /C /Q and memcpy at 004023A7 where you can see a PE header as buffer (a dll containing the cryptor part i suppose, haven't looked) https://www.virustotal.com/en/file/d062 ... 494620280/

target extensions (just assumption since i haven't looked, just hex viewed)
Code: Select all
.der
.pfx
.key
.crt
.csr
.p12
.pem
.odt
.ott
.sxw
.stw
.uot
.3ds
.max
.3dm
.ods
.ots
.sxc
.stc
.dif
.slk
.wb2
.odp
.otp
.sxd
.std
.uop
.odg
.otg
.sxm
.mml
.lay
.lay6
.asc
.sqlite3
.sqlitedb
.sql
.accdb
.mdb
.db
.dbf
.odb
.frm
.myd
.myi
.ibd
.mdf
.ldf
.sln
.suo
.cs
.c
.cpp
.pas
.h
.asm
.js
.cmd
.bat
.ps1
.vbs
.vb
.pl
.dip
.dch
.sch
.brd
.jsp
.php
.asp
.rb
.java
.jar
.class
.sh
.mp3
.wav
.swf
.fla
.wmv
.mpg
.vob
.mpeg
.asf
.avi
.mov
.mp4
.3gp
.mkv
.3g2
.flv
.wma
.mid
.m3u
.m4u
.djvu
.svg
.ai
.psd
.nef
.tiff
.tif
.cgm
.raw
.gif
.png
.bmp
.vcd
.iso
.backup
.zip
.rar
.7z
.gz
.tgz
.tar
.bak
.tbk
.bz2
.PAQ
.ARC
.aes
.gpg
.vmx
.vmdk
.vdi
.sldm
.sldx
.sti
.sxi
.602
.hwp
.edb
.potm
.potx
.ppam
.ppsx
.ppsm
.pps
.pot
.pptm
.xltm
.xltx
.xlc
.xlm
.xlt
.xlw
.xlsb
.xlsm
.dotx
.dotm
.dot
.docm
.docb
.jpg
.jpeg
.snt
.onetoc2
.dwg
.pdf
.wk1
.wks
.123
.rtf
.csv
.txt
.vsdx
.vsd
.eml
.msg
.ost
.pst
.pptx
.ppt
.xlsx
.xls
.docx
.doc
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1620
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 479

Re: WanaCrypt0r 2.0

Postby maddog4012 » Fri May 12, 2017 8:31 pm

here are a few more samples
You do not have the required permissions to view the files attached to this post.
User avatar
maddog4012
 
Posts: 40
Joined: Mon Aug 04, 2014 6:53 pm
Reputation point: 31

Re: WanaCrypt0r 2.0

Postby v3rd1ct » Sat May 13, 2017 4:01 am

maddog, your included password is not working?
v3rd1ct
 
Posts: 1
Joined: Sat May 13, 2017 3:44 am
Reputation point: 0

Re: WanaCrypt0r 2.0

Postby Insid3Code » Sat May 13, 2017 10:10 am

v3rd1ct wrote:maddog, your included password is not working?

lowercase
User avatar
Insid3Code
 
Posts: 4
Joined: Wed Aug 20, 2014 11:24 am
Reputation point: 0

Re: WanaCrypt0r 2.0

Postby sysopfb » Sat May 13, 2017 10:31 pm

t.wnry file that is written has a header on top of 256 bytes that is decrypted using the RSA private key from the loader

That decrypts to a 16 byte AES key that can be used to then decrypt out a DLL from that same file in CBC mode with a 16 byte IV of NULL bytes.

f351e1fcca0c4ea05fc44d15a17f8b36 for the decrypted dll of the sample I looked at
sysopfb
 
Posts: 88
Joined: Thu Oct 23, 2014 1:22 am
Reputation point: 52

Re: WanaCrypt0r 2.0

Postby FTL2000 » Sun May 14, 2017 5:12 pm

Have anyone took a look at (PKY, EKY, RES and others)? I found "RSA 1.1" string inside the PKY file, so I think it's something to do with RSA key...
Respective files are attached below (no live samples, only files mentioned above)
You do not have the required permissions to view the files attached to this post.
FTL2000
 
Posts: 4
Joined: Mon Feb 22, 2016 3:15 am
Reputation point: 4

Re: WanaCrypt0r 2.0

Postby DJFelix » Sun May 14, 2017 8:03 pm

The supposed RSA keys have been posted in this Pastebin: https://pastebin.com/SNBdGbJh

Has anyone been able to verify or test this?
DJFelix
 
Posts: 1
Joined: Fri May 12, 2017 10:13 pm
Reputation point: 0

Re: WanaCrypt0r 2.0

Postby benkow_ » Sun May 14, 2017 9:36 pm

Patched kill switch version
Code: Select all
http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

https://www.virustotal.com/fr/file/32f2 ... /analysis/
You do not have the required permissions to view the files attached to this post.
benkow_
 
Posts: 68
Joined: Sat Jan 24, 2015 12:14 pm
Reputation point: 41

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 6 guests