A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #30327  by Xylitol
 Fri May 12, 2017 6:03 pm
What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS? ~ https://www.theguardian.com/technology/ ... crypt0r-20
Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage ~ https://www.bleepingcomputer.com/news/s ... a-rampage/
pwned ~ https://pbs.twimg.com/media/C_pfnkeXcAAm2ZB.jpg
CERT-FR ~ http://www.cert.ssi.gouv.fr/site/CERTFR ... index.html
Fox news ~ http://www.foxnews.com/tech/2017/05/12/ ... ppled.html

on bleepingcomputer:
"French security researcher Kafeine, who was the first to spot that Wana Decrypt0r triggered security alerts for ETERNALBLUE, an alleged NSA exploit"
mistake here according to twitter, someone at ccn-cert reported it in first.
https://twitter.com/kafeine/status/863049739583016960
https://twitter.com/siri_urz/status/863044639384842240

wanacryptor: https://www.virustotal.com/en/file/ed01 ... 494611403/
WeCry: https://www.virustotal.com/en/file/3e6d ... 494612021/
https://www.hybrid-analysis.com/sample/ ... 2-00002912
Attachments
infected
(65.94 KiB) Downloaded 216 times
infected
(3.32 MiB) Downloaded 1099 times
 #30330  by Xylitol
 Fri May 12, 2017 7:54 pm
on WanaCrypt0r 2.0, it does a FindResourceA on ressource 'XIA', procedure at 00401DAB, it's a zip archive password protected with pw 'WNcry@2ol7' stuff is drop on the disk with procedure at 00401E41
0040732B |. FF15 34804000 CALL DWORD PTR DS:[<&KERNEL32.CreateFi>; \CreateFileA
createProcess at 004020E1 with attrib +h . and icacls . /grant Everyone:F /T /C /Q and memcpy at 004023A7 where you can see a PE header as buffer (a dll containing the cryptor part i suppose, haven't looked) https://www.virustotal.com/en/file/d062 ... 494620280/

target extensions (just assumption since i haven't looked, just hex viewed)
Code: Select all
.der
.pfx
.key
.crt
.csr
.p12
.pem
.odt
.ott
.sxw
.stw
.uot
.3ds
.max
.3dm
.ods
.ots
.sxc
.stc
.dif
.slk
.wb2
.odp
.otp
.sxd
.std
.uop
.odg
.otg
.sxm
.mml
.lay
.lay6
.asc
.sqlite3
.sqlitedb
.sql
.accdb
.mdb
.db
.dbf
.odb
.frm
.myd
.myi
.ibd
.mdf
.ldf
.sln
.suo
.cs
.c
.cpp
.pas
.h
.asm
.js
.cmd
.bat
.ps1
.vbs
.vb
.pl
.dip
.dch
.sch
.brd
.jsp
.php
.asp
.rb
.java
.jar
.class
.sh
.mp3
.wav
.swf
.fla
.wmv
.mpg
.vob
.mpeg
.asf
.avi
.mov
.mp4
.3gp
.mkv
.3g2
.flv
.wma
.mid
.m3u
.m4u
.djvu
.svg
.ai
.psd
.nef
.tiff
.tif
.cgm
.raw
.gif
.png
.bmp
.vcd
.iso
.backup
.zip
.rar
.7z
.gz
.tgz
.tar
.bak
.tbk
.bz2
.PAQ
.ARC
.aes
.gpg
.vmx
.vmdk
.vdi
.sldm
.sldx
.sti
.sxi
.602
.hwp
.edb
.potm
.potx
.ppam
.ppsx
.ppsm
.pps
.pot
.pptm
.xltm
.xltx
.xlc
.xlm
.xlt
.xlw
.xlsb
.xlsm
.dotx
.dotm
.dot
.docm
.docb
.jpg
.jpeg
.snt
.onetoc2
.dwg
.pdf
.wk1
.wks
.123
.rtf
.csv
.txt
.vsdx
.vsd
.eml
.msg
.ost
.pst
.pptx
.ppt
.xlsx
.xls
.docx
.doc
Attachments
infected
(33.44 KiB) Downloaded 94 times
infected
(3.28 MiB) Downloaded 143 times
 #30336  by sysopfb
 Sat May 13, 2017 10:31 pm
t.wnry file that is written has a header on top of 256 bytes that is decrypted using the RSA private key from the loader

That decrypts to a 16 byte AES key that can be used to then decrypt out a DLL from that same file in CBC mode with a 16 byte IV of NULL bytes.

f351e1fcca0c4ea05fc44d15a17f8b36 for the decrypted dll of the sample I looked at
 #30343  by FTL2000
 Sun May 14, 2017 5:12 pm
Have anyone took a look at (PKY, EKY, RES and others)? I found "RSA 1.1" string inside the PKY file, so I think it's something to do with RSA key...
Respective files are attached below (no live samples, only files mentioned above)
Attachments
Dropped files, PW: malware
(2.95 MiB) Downloaded 99 times