WannaCry 2.0: Indicators of Compromise

WannaCry (WannaCryptor) is becoming probably the most popular cryptolocker in the history of ransomware. It has nothing new in terms of files encryption (RSA + AES using MS CryptoAPI) but uses MS17-010 (a.k.a. ETERNALBLUE named by NSA) vulnerability to propagate itself through local networks using the Server Message Block (SMB) protocol as a network worm resulting in thousands of infections of Windows machines that have not been updated so far.



While many analysis reports appear on the Internet, we will focus on host and network indicators of compromise that can be used to discover and block the attack.

Host Indicators of Compromise

Processes:

• mssecsvc.exe
• tasksche.exe
• taskdl.exe
• taskse.exe

Services:

• Microsoft Security Center (2.0) Service, mssecsvc2.0, mssecsvc.exe -m security
• ejigiekpdyl588, ejigiekpdyl588, cmd.exe /c "C:\Intel\ejigiekpdyl588\tasksche.exe"

Files and folders:

• c:\Intel\<RANDOM>\ (installation folder, e.g. c:\Intel\ejigiekpdyl588\)
• @Please_Read_Me@.txt
• @WanaDecryptor@.exe
• .WNCRY (encrypted file extension)

Registry Keys:

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run tasksche.exe

Shell commands:

• cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v "<RANDOM>" /t REG_SZ /d “\"tasksche.exe\"" /f
• taskkill.exe /f /im mysqld.exe
• taskkill.exe /f /im sqlwriter.exe
• taskkill.exe /f /im sqlserver.exe
• taskkill.exe /f /im MSExchange*
• taskkill.exe /f /im Microsoft.Exchange.*
• attrib +h .
• icacls . /grant Everyone:F /T /C /Q
• cmd.exe /c start /b @WanaDecryptor@.exe vs
• cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete &  bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Bitcoin wallets:

• 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
• 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
• 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Network Indicators of Compromise

• SMB connection via port 445 in local networks
• http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (killswitch)
• https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
• Tor communication (ports 9001, 9101, 9003, 443)
• gx7ekbenv2riucmf.onion
• 57g7spgrzlojinas.onion
• xxlvbrloxvriy2c5.onion
• 76jdd2ir2embyv47.onion
• cwwnhwhlz52maqm7.onion

Yara rule

rule WannaCry20
{
meta:
author = "NioGuard Security Lab"
info = "Detecting the WannaCry dropper"
hash = "db349b97c37d22f5ea1d1841e3c89eb4"
reference = "http://nioguard.com/"

strings:
$a1 = "tasksche.exe"
$a2 = "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"

condition:
all of them
}

To verify if your host is vulnerable, run the following Python script specifying the host's IP:
https://github.com/RiskSense-Ops/MS17-010/blob/master/scanners/smb_ms17_010.py

See also:
http://www.acronis.com/en-us/blog/posts/wannacry-attack-what-it-and-how-protect-your-computer