Home / malwarePDF  

Ransom:Win32/WannaCrypt


First posted on 13 May 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/WannaCrypt.

Explanation :

Installation

When run, it tries to communicate with the following URL:

  • xxx.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com on port 80


It can create the following file and service:


  • %SystemRoot% \tasksche.exe

  • mssecsvc2.0


Payload

Encrypts files

This threat searches for and encrypts files with the following filename extensions:

.123

.jpeg

.rb

.602

.jpg

.rtf

.doc

.js

.sch

.3dm

.jsp

.sh

.3ds

.key

.sldm

.3g2

.lay

.sldm

.3gp

.lay6

.sldx

.7z

.ldf

.slk

.accdb

.m3u

.sln

.aes

.m4u

.snt

.ai

.max

.sql

.ARC

.mdb

.sqlite3

.asc

.mdf

.sqlitedb

.asf

.mid

.stc

.asm

.mkv

.std

.asp

.mml

.sti

.avi

.mov

.stw

.backup

.mp3

.suo

.bak

.mp4

.svg

.bat

.mpeg

.swf

.bmp

.mpg

.sxc

.brd

.msg

.sxd

.bz2

.myd

.sxi

.c

.myi

.sxm

.cgm

.nef

.sxw

.class

.odb

.tar

.cmd

.odg

.tbk

.cpp

.odp

.tgz

.crt

.ods

.tif

.cs

.odt

.tiff

.csr

.onetoc2

.txt

.csv

.ost

.uop

.db

.otg

.uot

.dbf

.otp

.vb

.dch

.ots

.vbs

.der"

.ott

.vcd

.dif

.p12

.vdi

.dip

.PAQ

.vmdk

.djvu

.pas

.vmx

.docb

.pdf

.vob

.docm

.pem

.vsd

.docx

.pfx

.vsdx

.dot

.php

.wav

.dotm

.pl

.wb2

.dotx

.png

.wk1

.dwg

.pot

.wks

.edb

.potm

.wma

.eml

.potx

.wmv

.fla

.ppam

.xlc

.flv

.pps

.xlm

.frm

.ppsm

.xls

.gif

.ppsx

.xlsb

.gpg

.ppt

.xlsm

.gz

.pptm

.xlsx

.h

.pptx

.xlt

.hwp

.ps1

.xltm

.ibd

.psd

.xltx

.iso

.pst

.xlw

.jar

.rar

.zip

.java

.raw





The ransomware may create the following files:
  • r.wnry
  • s.wnry
  • t.wnry
  • taskdl.exe
  • taskse.exe
  • 00000000.eky
  • 00000000.res
  • 00000000.pky
  • @WanaDecryptor@.exe
  • @Please_Read_Me@.txt
  • m.vbs
  • @WanaDecryptor@.exe.lnk


It appends .WNCRY to the filename of encrypted files. For example:
  • file.docx is renamed to file.docx.WNCRY
  • file.pdf is renamed to file.pdf.WNCRY


SHA1s used in this analysis:
  • 51e4307093f8ca8854359c0ac882ddca427a813c
  • 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
  • bd44d0ab543bf814d93b719c24e90d8dd7111234
  • 87420a2791d18dad3f18be436045280a4cc16fc4
  • e889544aff85ffaf8b0d0da705105dee7c97fe26




Analysis by: Andrea Lelli

Solution :

Adrien Guinet of QuarksLab in Paris released a potential fix in Github, which relies on snagging private key traces from the infected computer's memory to decrypt the files. But there is a caveat: the potential fix may fail if the malware, or other processes, overwrote the decryption key traces, or if the user rebooted the computer after the infection.
https://github.com/aguinet/wannakey

Last update 13 May 2017

 

TOP

Malware :