Home / malware Ransom:Win32/WannaCrypt.A!rsm
First posted on 15 March 2019.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/WannaCrypt.A!rsm.
Explanation :
Arrival
This threat arrives as a dropper Trojan that has two components:
A component that attempts to exploit the CVE-2017-0145 vulnerability in other computers Ransomware component
It tries to connect to the following domains:
www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com www[.]ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com www[x].iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test
If this threat successfully connects to the domains, it stops running. Because of this, IT administrators should NOT block these domains. This threat is not proxy-aware, so a local DNS record may be required. This does not need to point to the Internet, but can resolve to any accessible server which will accept connections on TCP 80.
This Trojan dropper then creates a service named mssecsvc2.0, whose function is to exploit the SMB vulnerability in other computers accessible from the infected system:
Service Name: mssecsvc2.0
Service Description: (Microsoft Security Center (2.0) Service)
Service Parameters: “-m security”
This threat uses publicly available exploit code for the patched SMB vulnerability, CVE-2017-0145, which can be triggered by sending a specially crafted packet to a targeted SMBv1 server. The exploit code used is designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this exploit attack. The said vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.
Installation
When run, the ransomware component creates the following registry entries:
In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun
Sets value: ""
With data: "asksche.exe"
In subkey: HKLMSOFTWAREWanaCrypt0r
Sets value: "wd"
With data: ""
It also modifies the following registry entry to change your computer's wallpaper:
In subkey: HKCUControl PanelDesktop
Sets value: "Wallpaper"
With data: "@WanaDecryptor@.bmp"
It creates the following files in the malware's working directory:
00000000.eky 00000000.pky 00000000.res 274901494632976.bat @Please_Read_Me@.txt @WanaDecryptor@.bmp @WanaDecryptor@.exe b.wnry c.wnry f.wnry m.vbs msgm_bulgarian.wnry msgm_chinese (simplified).wnry msgm_chinese (traditional).wnry msgm_croatian.wnry msgm_czech.wnry msgm_danish.wnry msgm_dutch.wnry msgm_english.wnry msgm_filipino.wnry msgm_finnish.wnry msgm_french.wnry msgm_german.wnry msgm_greek.wnry msgm_indonesian.wnry msgm_italian.wnry msgm_japanese.wnry msgm_korean.wnry msgm_latvian.wnry msgm_norwegian.wnry msgm_polish.wnry msgm_portuguese.wnry msgm_romanian.wnry msgm_russian.wnry msgm_slovak.wnry msgm_spanish.wnry msgm_swedish.wnry msgm_turkish.wnry msgm_vietnamese.wnry r.wnry s.wnry t.wnry TaskDataTorlibeay32.dll TaskDataTorlibevent-2-0-5.dll TaskDataTorlibevent_core-2-0-5.dll TaskDataTorlibevent_extra-2-0-5.dll TaskDataTorlibgcc_s_sjlj-1.dll TaskDataTorlibssp-0.dll TaskDataTorssleay32.dll TaskDataTor askhsvc.exe TaskDataTor or.exe TaskDataTorzlib1.dll taskdl.exe taskse.exe u.wnry
It may also create the following files:
%SystemRoot% asksche.exe %SystemDrive% intelasksche.exe %ProgramData% asksche.exe
It may create a randomly named service that has the following associated ImagePath:
"cmd.exe /c "asksche.exe""
Payload
Encrypts files
This threat searches for and encrypts files with the following filename extensions:
.123
.jpeg
.rb
.602
.jpg
.rtf
.doc
.js
.sch
.3dm
.jsp
.sh
.3ds
.key
.sldm
.3g2
.lay
.sldm
.3gp
.lay6
.sldx
.7z
.ldf
.slk
.accdb
.m3u
.sln
.aes
.m4u
.snt
.ai
.max
.sql
.ARC
.mdb
.sqlite3
.asc
.mdf
.sqlitedb
.asf
.mid
.stc
.asm
.mkv
.std
.asp
.mml
.sti
.avi
.mov
.stw
.backup
.mp3
.suo
.bak
.mp4
.svg
.bat
.mpeg
.swf
.bmp
.mpg
.sxc
.brd
.msg
.sxd
.bz2
.myd
.sxi
.c
.myi
.sxm
.cgm
.nef
.sxw
.class
.odb
.tar
.cmd
.odg
.tbk
.cpp
.odp
.tgz
.crt
.ods
.tif
.cs
.odt
.tiff
.csr
.onetoc2
.txt
.csv
.ost
.uop
.db
.otg
.uot
.dbf
.otp
.vb
.dch
.ots
.vbs
.der"
.ott
.vcd
.dif
.p12
.vdi
.dip
.PAQ
.vmdk
.djvu
.pas
.vmx
.docb
.vob
.docm
.pem
.vsd
.docx
.pfx
.vsdx
.dot
.php
.wav
.dotm
.pl
.wb2
.dotx
.png
.wk1
.dwg
.pot
.wks
.edb
.potm
.wma
.eml
.potx
.wmv
.fla
.ppam
.xlc
.flv
.pps
.xlm
.frm
.ppsm
.xls
.gif
.ppsx
.xlsb
.gpg
.ppt
.xlsm
.gz
.pptm
.xlsx
.h
.pptx
.xlt
.hwp
.ps1
.xltm
.ibd
.psd
.xltx
.iso
.pst
.xlw
.jar
.rar
.zip
.java
.raw
It appends .WNCRY to the filename of encrypted files. For example:
file.docx is renamed to file.docx.WNCRY file.pdf is renamed to file.pdf.WNCRY
This ransomware also creates the file @Please_Read_Me@.txt in every folder where files are encrypted. The file contains the same ransom message shown in the replaced wallpaper image (see screenshot below).
After completing the encryption process, the malware deletes the volume shadow copies. It then replaces the desktop background image with the following message:
It also runs an executable showing a ransomnote, which indicates a $300 ransom as well as a timer:
The text is localized into the following languages: Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, and Vietnamese.
The ransomware also demonstrates the decryption capability by allowing the user to decrypt a few random files, free of charge. It then quickly reminds the user to pay the ransom to decrypt all the remaining files.
Spreads to unpatched computers
To spread, this threat uses an exploit code for a patched SMB vulnerability, CVE-2017-0145. This vulnerability was fixed in security bulletin MS17-010, which was released on March 14, 2017.
The exploit code used by this threat to spread to other computers was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems. The exploit does not affect Windows 10 PCs.
The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host, which can be observed by SecOps personnel.
The Internet scanning routine randomly generates octets to form the IPv4 address. The malware then targets that IP to attempt to exploit CVE-2017-0145. The threat avoids infecting the IPv4 address if the randomly generated value for first octet is 127 or if the value is equal to or greater than 224, in order to skip local loopback interfaces. Once a vulnerable machine is found and infected, it becomes the next hop to infect other machines. The vicious infection cycle continues as the scanning routing discovers unpatched computers.
When it successfully infects a vulnerable computer, the malware runs kernel-level shellcode that seems to have been copied from the public backdoor known as DOUBLEPULSAR, but with certain adjustments to drop and execute the ransomware dropper payload, both for x86 and x64 systems.
SHA1s used in this analysis:
51e4307093f8ca8854359c0ac882ddca427a813c 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467 bd44d0ab543bf814d93b719c24e90d8dd7111234 87420a2791d18dad3f18be436045280a4cc16fc4 e889544aff85ffaf8b0d0da705105dee7c97fe26
Analysis by: Andrea LelliLast update 15 March 2019