Indicators Associated With Wanna.Cry Ransomware. Initial reports indicate the hacker or hacking group behind the Wanna.Cry campaign is gaining access to enterprise servers through the exploitation of a critical Windows SMB vulnerability.Microsoft released a security update for the MS1.March 1. 4, 2. 01.FNPoaernZ5o/hqdefault.jpg' alt='Hack Computer Using Port 139 445' title='Hack Computer Using Port 139 445' />Issuu is a digital publishing platform that makes it simple to publish magazines, catalogs, newspapers, books, and more online.Easily share your publications and get.Additionally, Microsoft released patches for Windows XP, Windows 8, and Windows Server 2.May 1. 3, 2. 01. 7.According to open sources, one possible infection vector may be through phishing.Technical Details.Indicators of Compromise IOCSee TA1.AWanna. Cry. xlsx and TA1.AWanna. Crystix. IOCs developed immediately after Wanna.Cry ransomware appeared.These links contain identical content in two different formats.See TA1. 7 1. 32.Astix. xml for IOCs developed after further analysis of the Wanna.Cry malware. Analysis.Three files were submitted to US CERT for analysis.All files are confirmed as components of a ransomware campaign identified as Wanna.Cry, a. k. a Wanna.Crypt or. wn. Cry.The first file is a dropper, which contains and runs the ransomware, propagating via the MS1.Eternal. Blue SMBv.The remaining two files are ransomware components containing encrypted plug ins responsible for encrypting the victim users files.For a list of IOCs found during analysis, see the STIX file.Displayed below are YARA signatures that can be used to detect the ransomware Yara Signaturesrule WannaCryRansomwareGeneric meta description Detects Wanna.Cry Ransomware on Disk and in Virtual Page author US CERT Code Analysis Team reference not set date 2.DA1. F3. 12. A2. 14.C0. 71. 43. ABEEAFB6.D9. 04 strings s.D0. 04. 90. 04. E0.Wanna. Decryptor s.WANNACRY s.Microsoft Enhanced RSA and AES Cryptographic s.PKS s.Start. Task s.F6. 60. 00. 02. F7.Copyrigh s.GlobalWINDOWSTASKOSHTMUTEX s.GlobalWINDOWSTASKCSTMUTEX s.B7. 36. 36. 86. 52.E6. 57. 86. 50. 00.B5. 37. 46. 17. 27.E7. 76. E7. 27. 90.C7. 32. 02. E2. 02.F6. 77. 26. 16. E7. Back Sack And Crack Manchester . F6. E6. 53. A4. 62.F5. 42. 02. F4. 32.F5. 10. 06. 17. 47.B6. 8 s.WNcry2ol. 7 s.GlobalMs. Win. Zones.Cache. Counter. Mutex.A condition s.The following Yara ruleset is under the GNU GPLv.MS1. 70. 10Wana. Cryworm meta description Worm exploiting MS1.Wanna. Cry Ransomware author Felipe Molina felmoltor reference https www.PC NETWORK PROGRAM 1.LANMAN1. 0 ms.Windows for Workgroups 3.TREEIDPLACEHOLDER ms.USERIDPLACEHOLDER wannacrypayloadsubstr.LCq. Pq. Vy. Xi. 2VSQ8.O6. Yb. 9ij. BX5.Wf. F9c. Gig. WFEx.Od. 0UOa. Zl. M wannacrypayloadsubstr.GFEo. LOU65. I7. Tohn.HsRAP condition all of themDropper.This artifact 5bef.PE3. 2 executable that has been identified as a Wanna.Cry ransomware dropper.Upon execution, the dropper attempts to connect to the following hard coded URI http www.Displayed below is a sample request observed Begin requestGET HTTP1.Host www. iuqerfsodp.Cache Control no cache End request If a connection is established, the dropper will terminate execution.If the connection fails, the dropper will infect the system with ransomware.When executed, the malware is designed to run as a service with the parameters m security.During runtime, the malware determines thenumber of arguments passed during execution.If the arguments passed are less than two, the dropper proceeds to install itself as thefollowing service Begin service Service.Name mssecsvc. Display.Name Microsoft Security Center 2.ServiceStart. Type SERVICEAUTOSTARTBinary.Path. Name current directory5bef.End service Once the malware starts as a service named mssecsvc.IP ranges on the local networkand attempts to connect using UDP ports 1.TCP ports 1. 39, 4.If a connection to port 4.SMBv. 1 vulnerability documented by Microsoft Security bulliten MS1.The malware then extracts installs a PE3.R. This binary has been identified as the ransomware component of Wanna.Crypt. The dropper installs this binary into C WINDOWStasksche.The dropper executes tasksche.Begin command C WINDOWStasksche.End commandNote When this sample was initially discovered, the domain iuqerfsodp.However within a few days, researchers learned that by registering the domain and allowing themalware to connect, its ability to spread was greatly reduced.At this time, all traffic to iuqerfsodp.For this reason, we recommendthat administrators and network security personnel not block traffic to this domain.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
November 2017
Categories |