WannaCry Malware Profile
Contents
WannaCry Malware Profile
WannaCry (also known as WCry or WanaCryptor) malware is a self-propagating (worm-like) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block (SMB) protocol, MS17-010. The WannaCry malware consists of two distinct components, one that provides ransomware functionality and a component used for propagation, which contains functionality to enable SMB exploitation capabilities.
The malware leverages an exploit, codenamed “EternalBlue”, that was released by the Shadow Brokers on April 14, 2017.
The malware appends encrypted data files with the .WCRY extension, drops and executes a decryptor tool, and demands $300 or $600 USD (via Bitcoin) to decrypt the data.
The malware uses encrypted Tor channels for command and control (C2) communications.
File Characteristics
Filename
MD5 Hash
Size (bytes)
Compile Time
Description
Filetype
mssecsvc.exe
db349b97c37d22f5ea1d1841e3c89eb4
3723264
2010-11-20T09:03:08Z
Loader + Worm Component
EXE
tasksche.exe
84c82835a5d21bbcf75a61706d8ab549
3514368
2010-11-20T09:05:05Z
Loader
EXE
Unavailable
f351e1fcca0c4ea05fc44d15a17f8b36
65536
2009-07-14 01:12:55Z
Encryptor
DLL
@[email protected]
7bf2b57f2a205768755c07f238fb32cc
245760
2009-07-13 23:19:35Z
Decryptor
EXE
Table 1: File characteristics
Persistence Mechanism
The malware creates the following two registry run keys to ensure persistence:
- Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Random>
Value: <Full_path>\tasksche.exe
- Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Random>
Value: <Full_path>\tasksche.exe
The malware …
WannaCry (also known as WCry or WanaCryptor) malware is a self-propagating (worm-like) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block (SMB) protocol, MS17-010. The WannaCry malware consists of two distinct components, one that provides ransomware functionality and a component used for propagation, which contains functionality to enable SMB exploitation capabilities.
The malware leverages an exploit, codenamed “EternalBlue”, that was released by the Shadow Brokers on April 14, 2017.
The malware appends encrypted data files with the .WCRY extension, drops and executes a decryptor tool, and demands $300 or $600 USD (via Bitcoin) to decrypt the data.
The malware uses encrypted Tor channels for command and control (C2) communications.
File Characteristics
Filename
MD5 Hash
Size (bytes)
Compile Time
Description
Filetype
mssecsvc.exe
db349b97c37d22f5ea1d1841e3c89eb4
3723264
2010-11-20T09:03:08Z
Loader + Worm Component
EXE
tasksche.exe
84c82835a5d21bbcf75a61706d8ab549
3514368
2010-11-20T09:05:05Z
Loader
EXE
Unavailable
f351e1fcca0c4ea05fc44d15a17f8b36
65536
2009-07-14 01:12:55Z
Encryptor
DLL
@[email protected]
7bf2b57f2a205768755c07f238fb32cc
245760
2009-07-13 23:19:35Z
Decryptor
EXE
Table 1: File characteristics
Persistence Mechanism
The malware creates the following two registry run keys to ensure persistence:
- Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Random>
Value: <Full_path>\tasksche.exe
- Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Random>
Value: <Full_path>\tasksche.exe
The malware …
IoC
0252d45ca21c8e43c9742285c48e91ad
08b9e69b57e4c9b966664f8e1c27ab09
17194003fa70ce477326ce2f6deeb270
172.16.99.5
192.168.56.20
2c5a3b81d5c4715b7bea01033367fcb5
2efc3690d67cd073a9406a25005f7cea
30a200f78498990095b36f574b6e8690
313e0ececd24f4fa1504118a11bc7986
35c2f97eea8819b1caebd23fee732d8f
3788f91c694dfc48e12417ce93356b0f
3d59bbb5553fe03a89f817819540f469
3e0020fc529b1c2a061016dd2469ba96
452615db2336d60af7e2057481e4cab5
4e57113a6bf6b88fdd32782a4a381274
4fef5e34143e646dbf9907c4374276f5
531ba6b1a5460fc9446946f91cc8c94b
537efeecdfa94cc421e58fd82a58ba9e
5dcaac857e695a65f5c3ef1441a73a8f
6735cb43fe44832b061eeb3f5956b099
7a8d499407c6a647c03c4471a67eaad7
7bf2b57f2a205768755c07f238fb32cc
80ce983d22c6213f35867053bec1c293
8419be28a0dcec3f55823620922b00fa
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
8d61648d34cba8ae9d1e2a219019add1
95673b0f968c0f55b32204361940d184
96dff36b5275c67e35097d77a120d0d4
BEE19B98D2E5B12211CE211EECB13DE6
a44964a7be94072cdfe085bc43e7dc95
ad4c9de7c8c40813f200ba1c2fa33083
ae08f79a0d800b82fcbe1b43cdbdbefc
b77e1221f7ecd0b5d696cb66cda1609e
c17170262312f3be7027bc2ca825bf0c
c2559b51cfd37bdbd5fdb978061c6c16
c33afb4ecc04ee1bcc6975bea49abe40
c7a19984eb9f37198652eaf2fd1ee25c
c911aba4ab1da6c28cf86338ab2ab6cc
db349b97c37d22f5ea1d1841e3c89eb4
e79d7f2833a9c2e2553c7fe04a1b63f4
f351e1fcca0c4ea05fc44d15a17f8b36
fa948f7d8dfb21ceddd6794f2d56b44f
fb4e8718fea95bb7479727fde80cb424
fe68c2dc0d2419b38f44d83f2fcf232e
ff70cc7c00951084175d12128ce02399
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
08b9e69b57e4c9b966664f8e1c27ab09
17194003fa70ce477326ce2f6deeb270
172.16.99.5
192.168.56.20
2c5a3b81d5c4715b7bea01033367fcb5
2efc3690d67cd073a9406a25005f7cea
30a200f78498990095b36f574b6e8690
313e0ececd24f4fa1504118a11bc7986
35c2f97eea8819b1caebd23fee732d8f
3788f91c694dfc48e12417ce93356b0f
3d59bbb5553fe03a89f817819540f469
3e0020fc529b1c2a061016dd2469ba96
452615db2336d60af7e2057481e4cab5
4e57113a6bf6b88fdd32782a4a381274
4fef5e34143e646dbf9907c4374276f5
531ba6b1a5460fc9446946f91cc8c94b
537efeecdfa94cc421e58fd82a58ba9e
5dcaac857e695a65f5c3ef1441a73a8f
6735cb43fe44832b061eeb3f5956b099
7a8d499407c6a647c03c4471a67eaad7
7bf2b57f2a205768755c07f238fb32cc
80ce983d22c6213f35867053bec1c293
8419be28a0dcec3f55823620922b00fa
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
8d61648d34cba8ae9d1e2a219019add1
95673b0f968c0f55b32204361940d184
96dff36b5275c67e35097d77a120d0d4
BEE19B98D2E5B12211CE211EECB13DE6
a44964a7be94072cdfe085bc43e7dc95
ad4c9de7c8c40813f200ba1c2fa33083
ae08f79a0d800b82fcbe1b43cdbdbefc
b77e1221f7ecd0b5d696cb66cda1609e
c17170262312f3be7027bc2ca825bf0c
c2559b51cfd37bdbd5fdb978061c6c16
c33afb4ecc04ee1bcc6975bea49abe40
c7a19984eb9f37198652eaf2fd1ee25c
c911aba4ab1da6c28cf86338ab2ab6cc
db349b97c37d22f5ea1d1841e3c89eb4
e79d7f2833a9c2e2553c7fe04a1b63f4
f351e1fcca0c4ea05fc44d15a17f8b36
fa948f7d8dfb21ceddd6794f2d56b44f
fb4e8718fea95bb7479727fde80cb424
fe68c2dc0d2419b38f44d83f2fcf232e
ff70cc7c00951084175d12128ce02399
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com