Ransom:Win32/WannaCrypt

Arrival

This threat arrives as a dropper Trojan that has two components:

• A component that attempts to exploit the CVE-2017-0145 vulnerability in other computers
• Ransomware component

It tries to connect to the following domains:

• www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
• www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
• www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test

If this threat successfully connects to the domains, it stops running. Because of this, IT administrators should NOT block these domains. This threat is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.

This Trojan dropper then creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:

Service Name: mssecsvc2.0
Service Description: (Microsoft Security Center (2.0) Service)
Service Parameters: “-m security”

This threat uses publicly available exploit code for the patched SMB vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. The exploit code used is designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this exploit attack. The said vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.

Installation

When run, the ransomware component creates the following registry entries:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "<random string>"
With data: "<malware working directory>\tasksche.exe"

In subkey: HKLM\SOFTWARE\WanaCrypt0r
Sets value: "wd"
With data: "<malware working directory>"

It also modifies the following registry entry to change your computer's wallpaper:

In subkey: HKCU\Control Panel\Desktop
Sets value: "Wallpaper"
With data: "<malware working directory>\@WanaDecryptor@.bmp"

It creates the following files in the malware’s working directory:

• 00000000.eky
• 00000000.pky
• 00000000.res
• 274901494632976.bat
• @Please_Read_Me@.txt
• @WanaDecryptor@.bmp
• @WanaDecryptor@.exe
• b.wnry
• c.wnry
• f.wnry
• m.vbs
• msg\m_bulgarian.wnry
• msg\m_chinese (simplified).wnry
• msg\m_chinese (traditional).wnry
• msg\m_croatian.wnry
• msg\m_czech.wnry
• msg\m_danish.wnry
• msg\m_dutch.wnry
• msg\m_english.wnry
• msg\m_filipino.wnry
• msg\m_finnish.wnry
• msg\m_french.wnry
• msg\m_german.wnry
• msg\m_greek.wnry
• msg\m_indonesian.wnry
• msg\m_italian.wnry
• msg\m_japanese.wnry
• msg\m_korean.wnry
• msg\m_latvian.wnry
• msg\m_norwegian.wnry
• msg\m_polish.wnry
• msg\m_portuguese.wnry
• msg\m_romanian.wnry
• msg\m_russian.wnry
• msg\m_slovak.wnry
• msg\m_spanish.wnry
• msg\m_swedish.wnry
• msg\m_turkish.wnry
• msg\m_vietnamese.wnry
• r.wnry
• s.wnry
• t.wnry
• TaskData\Tor\libeay32.dll
• TaskData\Tor\libevent-2-0-5.dll
• TaskData\Tor\libevent_core-2-0-5.dll
• TaskData\Tor\libevent_extra-2-0-5.dll
• TaskData\Tor\libgcc_s_sjlj-1.dll
• TaskData\Tor\libssp-0.dll
• TaskData\Tor\ssleay32.dll
• TaskData\Tor\taskhsvc.exe
• TaskData\Tor\tor.exe
• TaskData\Tor\zlib1.dll
• taskdl.exe
• taskse.exe
• u.wnry

It may also create the following files:

• %SystemRoot% \tasksche.exe
• %SystemDrive% \intel\<random directory name>\tasksche.exe
• %ProgramData% \<random directory name>\tasksche.exe

It may create a randomly named service that has the following associated ImagePath:

"cmd.exe /c "<malware working directory>\tasksche.exe""

Payload

Encrypts files

This threat searches for and encrypts files with the following filename extensions:

It appends .WNCRY to the filename of encrypted files. For example:

• file.docx is renamed to file.docx.WNCRY
• file.pdf is renamed to file.pdf.WNCRY

This ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).

After completing the encryption process, the malware deletes the volume shadow copies. It then replaces the desktop background image with the following message:

It also runs an executable showing a ransomnote, which indicates a $300 ransom as well as a timer:

The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.

The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.

Spreads to unpatched computers

To spread, this threat uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.

The exploit code used by this threat to spread to other computers was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems. The exploit does not affect Windows 10 PCs.

The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel.

The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.

When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.

SHA1s used in this analysis: 

• 51e4307093f8ca8854359c0ac882ddca427a813c
• 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
• bd44d0ab543bf814d93b719c24e90d8dd7111234
• 87420a2791d18dad3f18be436045280a4cc16fc4
• e889544aff85ffaf8b0d0da705105dee7c97fe26

Analysis by: Andrea Lelli