Joe Security's Blog
Brief technical Analysis of Wannacry Ransomware Worm v2
Published on: 15.05.2017
Last Friday, May 12th 2017 cyber criminals started to spread a new ransomware. The malicious code was not highly sophisticated, it was using a recently patched SMB bug (MS17-010 also known as ETERNALBLUE) to spread. The remotely exploitable SMB bug was part of an NSA leaks series and affected XP up to Windows Server 2012. Windows 10 is not affected.
We got the sample on Friday around 6 PM and the initial analysis has released the following facts:
- Complex installation behavior
- Multi-language support
- Install and uses Tor for communication
- Programmed in C / C++, also uses VBS for some tasks
- Makes recovery impossible
- Encrypts files with AES 2048-bit, file appendix is WNCRYT, encrypts files everywhere
- Creates a mutex to prevent double infection, the mutex is MsWinZonesCacheCounterMutexA0
- Registers autostart
- Has a kill switch / anti sandbox trick to prevent spreading and encryption (left branch skip, right branch spreading + encryption), kill domain is http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Kill switch does not work with proxies. Kill switch was registered by the IT security blogger Malware Tech UK.
- Does not use any anti-debugging or special anti-sandbox tricks
Full analysis data generated by Joe Sandbox 19: