WannaCry (WannaCryptor) is becoming probably the most popular cryptolocker in the history of ransomware. It has nothing new in terms of files encryption (RSA + AES using MS CryptoAPI) but uses MS17-010 (a.k.a. ETERNALBLUE named by NSA) vulnerability to propagate itself through local networks using the Server Message Block (SMB) protocol as a network worm resulting in thousands of infections of Windows machines that have not been updated so far.
While many analysis reports appear on the Internet, we will focus on host and network indicators of compromise that can be used to discover and block the attack.
Host Indicators of Compromise
Processes:
- mssecsvc.exe
- tasksche.exe
- taskdl.exe
- taskse.exe
Services:
- Microsoft Security Center (2.0) Service, mssecsvc2.0, mssecsvc.exe -m security
- ejigiekpdyl588, ejigiekpdyl588, cmd.exe /c "C:\Intel\ejigiekpdyl588\tasksche.exe"
- c:\Intel\<RANDOM>\ (installation folder, e.g. c:\Intel\ejigiekpdyl588\)
- @Please_Read_Me@.txt
- @WanaDecryptor@.exe
- .WNCRY (encrypted file extension)
- HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tasksche.exe
Shell commands:
Network Indicators of Compromise
- cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v "<RANDOM>" /t REG_SZ /d “\"tasksche.exe\"" /f
- taskkill.exe /f /im mysqld.exe
- taskkill.exe /f /im sqlwriter.exe
- taskkill.exe /f /im sqlserver.exe
- taskkill.exe /f /im MSExchange*
- taskkill.exe /f /im Microsoft.Exchange.*
- attrib +h .
- icacls . /grant Everyone:F /T /C /Q
- cmd.exe /c start /b @WanaDecryptor@.exe vs
- cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
Bitcoin wallets:
- 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
- 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
- 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
- SMB connection via port 445 in local networks
- http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (killswitch)
- https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
- Tor communication (ports 9001, 9101, 9003, 443)
- gx7ekbenv2riucmf.onion
- 57g7spgrzlojinas.onion
- xxlvbrloxvriy2c5.onion
- 76jdd2ir2embyv47.onion
- cwwnhwhlz52maqm7.onion
{
meta:
author = "NioGuard Security Lab"
info = "Detecting the WannaCry dropper"
hash = "db349b97c37d22f5ea1d1841e3c89eb4"
reference = "http://nioguard.com/"
strings:
$a1 = "tasksche.exe"
$a2 = "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
condition:
all of them
}
To verify if your host is vulnerable, run the following Python script specifying the host's IP:
https://github.com/RiskSense-Ops/MS17-010/blob/master/scanners/smb_ms17_010.py
See also:
http://www.acronis.com/en-us/blog/posts/wannacry-attack-what-it-and-how-protect-your-computer
No comments:
Post a Comment