Check out the WannaCry/WannaCryptor/WanaDecryptor (WCry 2.0) ransomware indicators

// May 12th, 2017 // Hacking and Security

Somebody dumped a file in VirusTotal claiming it’s the new WCry 2.0 variant that’s wreaking havoc today.  Details below but take with grain of salt until we know more.

 FileVersionInfo properties
Copyright
© Microsoft Corporation. All rights reserved.
Product Microsoft® Windows® Operating System
Original name diskpart.exe
Internal name diskpart.exe
File version 6.1.7601.17514 (win7sp1_rtm.101119-1850)
Description DiskPart
 PE header basic information
Target machine Intel 386 or later processors and compatible processors
Compilation timestamp 2010-11-20 09:05:05
Entry Point 0x000077BA
Number of sections 4
 PE sections
 Overlays
MD5 5822a94206522fe5382d2f00acc5cadf
File type data
Offset 65536
Size 1572864
Entropy 8.00
 PE imports
 Number of PE resources by type
XIA 1
RT_VERSION 1
RT_MANIFEST 1
 Number of PE resources by language
ENGLISH US 3
 PE resources
 ExifTool file metadata
SubsystemVersion
4.0
LinkerVersion
6.0
ImageVersion
0.0
FileSubtype
0
FileVersionNumber
6.1.7601.17514
UninitializedDataSize
0
LanguageCode
English (U.S.)
FileFlagsMask
0x003f
CharacterSet
Unicode
InitializedDataSize
3481600
EntryPoint
0x77ba
OriginalFileName
diskpart.exe
MIMEType
application/octet-stream
LegalCopyright
Microsoft Corporation. All rights reserved.
FileVersion
6.1.7601.17514 (win7sp1_rtm.101119-1850)
TimeStamp
2010:11:20 10:05:05+01:00
FileType
Win32 EXE
PEType
PE32
InternalName
diskpart.exe
ProductVersion
6.1.7601.17514
FileDescription
DiskPart
OSVersion
4.0
FileOS
Windows NT 32-bit
Subsystem
Windows GUI
MachineType
Intel 386 or later, and compatibles
CompanyName
Microsoft Corporation
CodeSize
28672
ProductName
Microsoft Windows Operating System
ProductVersionNumber
6.1.7601.17514
FileTypeExtension
exe
ObjectFileType
Dynamic link library

 

 

 Execution parents
 PE resource-wise parents
 Compressed bundles

 

 File identification
MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
ssdeep
98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB
authentihash  4b2c4c7f06f5ffaeea6efc537f0aa66b0a30c7ccd7979c86c7f4f996002b99fd
imphash  68f013d7437aa653a8a98a05807afeb1
File size 3.4 MB ( 3514368 bytes )
File type Win32 EXE
Magic literal
PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID Win32 Executable MS Visual C++ (generic) (42.2%)
Win64 Executable (generic) (37.3%)
Win32 Dynamic Link Library (generic) (8.8%)
Win32 Executable (generic) (6.0%)
Generic Win/DOS Executable (2.7%)
Tags
peexe overlay
 VirusTotal metadata
First submission 2017-05-12 07:31:10 UTC ( 14 hours, 27 minutes ago )
Last submission 2017-05-12 21:29:49 UTC ( 29 minutes ago )
File names tasksche.exe
diskpart.exe
tasksche.exe
localfile~
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
tasksche.exe
tasksche.exe
data
ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA.dat
tasksche.exe
qeriuwjhrf
tasksche.exe
tasksche.exe
wcry.exe
wcry2.exe
84c82835a5d21bbcf75a61706d8ab549.exe
tasksche.exe
1.exe
WannaDecryptor.exe
tasksche.exe
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.bin
tasksche.exe
4IMI8V.exe
ranson.exe
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.txt
 Behaviour characterization
Zemana
dll-injection

 

 

 

 Opened files
 Read files
 Written files
 Copied files
 Moved files
 Deleted files
 Created processes
 Code injections in the following processes
 Terminated processes
 Created mutexes
 Opened mutexes
 Searched windows
 Hooking activity
 Runtime DLLs
 Additional details
The file installs an application-defined hook procedure into a hook chain. You would install a hook procedure to monitor the system for certain types of events. These events are associated either with a specific thread or with all threads in the same desktop as the calling thread. This is done making use of the SetWindowsHook Windows API function.
 TCP connections
 UDP communications

 

 

IOCs

Hashes:

SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Files associated with Wana Decrypt0r / WanaCrypt0r:

[Installed_Folder]\00000000.eky
[Installed_Folder]\00000000.pky
[Installed_Folder]\00000000.res
[Installed_Folder]\@WanaDecryptor@.exe
[Installed_Folder]\@WanaDecryptor@.exe.lnk
[Installed_Folder]\b.wnry
[Installed_Folder]\c.wnry
[Installed_Folder]\f.wnry
[Installed_Folder]\msg\
[Installed_Folder]\msg\m_bulgarian.wnry
[Installed_Folder]\msg\m_chinese (simplified).wnry
[Installed_Folder]\msg\m_chinese (traditional).wnry
[Installed_Folder]\msg\m_croatian.wnry
[Installed_Folder]\msg\m_czech.wnry
[Installed_Folder]\msg\m_danish.wnry
[Installed_Folder]\msg\m_dutch.wnry
[Installed_Folder]\msg\m_english.wnry
[Installed_Folder]\msg\m_filipino.wnry
[Installed_Folder]\msg\m_finnish.wnry
[Installed_Folder]\msg\m_french.wnry
[Installed_Folder]\msg\m_german.wnry
[Installed_Folder]\msg\m_greek.wnry
[Installed_Folder]\msg\m_indonesian.wnry
[Installed_Folder]\msg\m_italian.wnry
[Installed_Folder]\msg\m_japanese.wnry
[Installed_Folder]\msg\m_korean.wnry
[Installed_Folder]\msg\m_latvian.wnry
[Installed_Folder]\msg\m_norwegian.wnry
[Installed_Folder]\msg\m_polish.wnry
[Installed_Folder]\msg\m_portuguese.wnry
[Installed_Folder]\msg\m_romanian.wnry
[Installed_Folder]\msg\m_russian.wnry
[Installed_Folder]\msg\m_slovak.wnry
[Installed_Folder]\msg\m_spanish.wnry
[Installed_Folder]\msg\m_swedish.wnry
[Installed_Folder]\msg\m_turkish.wnry
[Installed_Folder]\msg\m_vietnamese.wnry
[Installed_Folder]\r.wnry
[Installed_Folder]\s.wnry
[Installed_Folder]\t.wnry
[Installed_Folder]\TaskData\
[Installed_Folder]\TaskData\Data\
[Installed_Folder]\TaskData\Data\Tor\
[Installed_Folder]\TaskData\Tor\
[Installed_Folder]\TaskData\Tor\libeay32.dll
[Installed_Folder]\TaskData\Tor\libevent-2-0-5.dll
[Installed_Folder]\TaskData\Tor\libevent_core-2-0-5.dll
[Installed_Folder]\TaskData\Tor\libevent_extra-2-0-5.dll
[Installed_Folder]\TaskData\Tor\libgcc_s_sjlj-1.dll
[Installed_Folder]\TaskData\Tor\libssp-0.dll
[Installed_Folder]\TaskData\Tor\ssleay32.dll
[Installed_Folder]\TaskData\Tor\taskhsvc.exe
[Installed_Folder]\TaskData\Tor\tor.exe
[Installed_Folder]\TaskData\Tor\zlib1.dll
[Installed_Folder]\taskdl.exe
[Installed_Folder]\taskse.exe
[Installed_Folder]\u.wnry
[Installed_Folder]\wcry.exe

Registry entries associated with Wana Decrypt0r / WanaCrypt0r:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random]	"[Installed_Folder]\tasksche.exe"
HKCU\Software\WanaCrypt0r\
HKCU\Software\WanaCrypt0r\wd	[Installed_Folder]
HKCU\Control Panel\Desktop\Wallpaper	"[Installed_Folder]\Desktop\@WanaDecryptor@.bmp"

Network Communication from Wana Decrypt0r / WanaCrypt0r:

gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion
https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

Wana Decrypt0r / WanaCrypt0r Lock Screen Text:

What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.

How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am - 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.

Contact
If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets updated and removes this software automatically, it will not be able to recover your files even if you pay!

Wana Decrypt0r / WanaCrypt0r Ransom Note Text:

Q:  What's wrong with my files?

A:  Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
    If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
    Let's start decrypting!

Q:  What do I do?

A:  First, you need to pay service fees for the decryption.
    Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

    Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
    Run and follow the instructions! (You may need to disable your antivirus for a while.)
    
Q:  How can I trust?

A:  Don't worry about decryption.
    We will decrypt your files surely because nobody will trust us if we cheat users.
    

*   If you need our assistance, send a message by clicking  on the decryptor window.

Encrypted File Extensions:

.WCRY
.WNCRY




« « Previous Article: List of programming steps to take when building .Net MVC application functionality     » » Next Article: This just popped up on Pastebin – legit?


Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: