[Xylitol]

What is 'WanaCrypt0r 2.0' ransomware and why is it attacking the NHS? ~ https://www.theguardian.com/technology/ ... crypt0r-20
Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage ~ https://www.bleepingcomputer.com/news/s ... a-rampage/
pwned ~ https://pbs.twimg.com/media/C_pfnkeXcAAm2ZB.jpg
CERT-FR ~ http://www.cert.ssi.gouv.fr/site/CERTFR ... index.html
Fox news ~ http://www.foxnews.com/tech/2017/05/12/ ... ppled.html

on bleepingcomputer:
"French security researcher Kafeine, who was the first to spot that Wana Decrypt0r triggered security alerts for ETERNALBLUE, an alleged NSA exploit"
mistake here according to twitter, someone at ccn-cert reported it in first.
https://twitter.com/kafeine/status/863049739583016960
https://twitter.com/siri_urz/status/863044639384842240

wanacryptor: https://www.virustotal.com/en/file/ed01 ... 494611403/
WeCry: https://www.virustotal.com/en/file/3e6d ... 494612021/
https://www.hybrid-analysis.com/sample/ ... 2-00002912

[asianman6924]

The outbreak of this malware is crazy!
45,000 attacks in over 74 countries

https://twitter.com/craiu/status/863076786887852032

[Xylitol]

on WanaCrypt0r 2.0, it does a FindResourceA on ressource 'XIA', procedure at 00401DAB, it's a zip archive password protected with pw 'WNcry@2ol7' stuff is drop on the disk with procedure at 00401E41
0040732B |. FF15 34804000 CALL DWORD PTR DS:[<&KERNEL32.CreateFi>; \CreateFileA
createProcess at 004020E1 with attrib +h . and icacls . /grant Everyone:F /T /C /Q and memcpy at 004023A7 where you can see a PE header as buffer (a dll containing the cryptor part i suppose, haven't looked) https://www.virustotal.com/en/file/d062 ... 494620280/

target extensions (just assumption since i haven't looked, just hex viewed)

Code: Select all

.der
.pfx
.key
.crt
.csr
.p12
.pem
.odt
.ott
.sxw
.stw
.uot
.3ds
.max
.3dm
.ods
.ots
.sxc
.stc
.dif
.slk
.wb2
.odp
.otp
.sxd
.std
.uop
.odg
.otg
.sxm
.mml
.lay
.lay6
.asc
.sqlite3
.sqlitedb
.sql
.accdb
.mdb
.db
.dbf
.odb
.frm
.myd
.myi
.ibd
.mdf
.ldf
.sln
.suo
.cs
.c
.cpp
.pas
.h
.asm
.js
.cmd
.bat
.ps1
.vbs
.vb
.pl
.dip
.dch
.sch
.brd
.jsp
.php
.asp
.rb
.java
.jar
.class
.sh
.mp3
.wav
.swf
.fla
.wmv
.mpg
.vob
.mpeg
.asf
.avi
.mov
.mp4
.3gp
.mkv
.3g2
.flv
.wma
.mid
.m3u
.m4u
.djvu
.svg
.ai
.psd
.nef
.tiff
.tif
.cgm
.raw
.gif
.png
.bmp
.vcd
.iso
.backup
.zip
.rar
.7z
.gz
.tgz
.tar
.bak
.tbk
.bz2
.PAQ
.ARC
.aes
.gpg
.vmx
.vmdk
.vdi
.sldm
.sldx
.sti
.sxi
.602
.hwp
.edb
.potm
.potx
.ppam
.ppsx
.ppsm
.pps
.pot
.pptm
.xltm
.xltx
.xlc
.xlm
.xlt
.xlw
.xlsb
.xlsm
.dotx
.dotm
.dot
.docm
.docb
.jpg
.jpeg
.snt
.onetoc2
.dwg
.pdf
.wk1
.wks
.123
.rtf
.csv
.txt
.vsdx
.vsd
.eml
.msg
.ost
.pst
.pptx
.ppt
.xlsx
.xls
.docx
.doc

[maddog4012]

here are a few more samples

[v3rd1ct]

maddog, your included password is not working?

[Insid3Code]

maddog, your included password is not working?

lowercase

[sysopfb]

t.wnry file that is written has a header on top of 256 bytes that is decrypted using the RSA private key from the loader

That decrypts to a 16 byte AES key that can be used to then decrypt out a DLL from that same file in CBC mode with a 16 byte IV of NULL bytes.

f351e1fcca0c4ea05fc44d15a17f8b36 for the decrypted dll of the sample I looked at

[FTL2000]

Have anyone took a look at (PKY, EKY, RES and others)? I found "RSA 1.1" string inside the PKY file, so I think it's something to do with RSA key...
Respective files are attached below (no live samples, only files mentioned above)

[DJFelix]

The supposed RSA keys have been posted in this Pastebin: https://pastebin.com/SNBdGbJh

Has anyone been able to verify or test this?

[benkow_]

Patched kill switch version

Code: Select all

http://www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com

https://www.virustotal.com/fr/file/32f2 ... /analysis/