Player 3 Has Entered the Game: Say Hello to 'WannaCry'

2017-05-12 Cisco Talos

http://blog.talosintelligence.com/2017/05/wannacry.html

Thumbnail for Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Talos describes WannaCry as a worm-like ransomware campaign that scanned TCP port 445 across local and internet-facing systems, exploited the MS17-010 SMB vulnerability with EternalBlue, and used DOUBLEPULSAR to install the ransomware payload. The malware created the mssecsvc2.0 service, dropped tasksche.exe for encryption, used Tor components for network communications, and displayed the ransom note through @[email protected] while encryption ran in the background. Talos also documented a kill-switch domain, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, where successful HTTP connectivity caused the sample to stop malicious activity. The report emphasizes defensive controls including Windows patching, blocking externally exposed SMB ports 139 and 445, restricting Tor traffic, and detecting hashes, Tor nodes, scanning behavior, and related Snort coverage.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN iuqerfsodp9ifjaposdfjhgosurijfa… 2017-05-12 2023-01-17
HASH 2ca2d550e603d74dedda03156023135… 2017-05-12 2021-12-02
HASH 09a46b3e1be080745a6d8d88d6b5bd3… 2017-05-12 2021-12-02
HASH c365ddaa345cfcaff3d629505572a48… 2017-05-12 2021-12-02
HASH 24d004a104d4d54034dbcffc2a4b19a… 2017-05-12 2021-12-02
HASH 4a468603fdcb7a2eb5770705898cf9e… 2017-05-12 2021-12-02
HASH 4186675cb6706f9d51167fb0f14cd3f… 2017-05-12 2021-12-02
HASH b9c5d4339809e0ad9a00d4d3dd26fdf… 2017-05-12 2021-12-02
HASH ed01ebfbc9eb5bbea545af4d01bf5f1… 2017-05-12 2021-12-02
HASH 0a73291ab5607aef7db23863cf8e72f… 2017-05-12 2021-12-02
DOMAIN xxlvbrloxvriy2c5.onion 2017-05-12 2021-12-02
DOMAIN cwwnhwhlz52maqm7.onion 2017-05-12 2021-12-02
DOMAIN gx7ekbenv2riucmf.onion 2017-05-12 2021-12-02
DOMAIN 76jdd2ir2embyv47.onion 2017-05-12 2021-12-02
DOMAIN 57g7spgrzlojinas.onion 2017-05-12 2021-12-02
IPv4 128.31.0.39 2017-05-12 2021-12-02
HASH 2c2d8bc91564050cf073745f1b117f4… 2017-05-12 2017-05-12
HASH d5e0e8694ddc0548d8e6b87c83d50f4… 2017-05-12 2017-05-12
HASH 055c7760512c98c8d51e4427227fe2a… 2017-05-12 2017-05-12
HASH a93ee7ea13238bd038bcbec635f3961… 2017-05-12 2017-05-12
HASH 7a828afd2abf153d840938090d49807… 2017-05-12 2017-05-12
HASH a897345b68191fd36f8cefb52e6a77a… 2017-05-12 2017-05-12
HASH 72af12d8139a80f317e851a60027fdf… 2017-05-12 2017-05-12
HASH 402751fa49e0cb68fe052cb3db87b05… 2017-05-12 2017-05-12
HASH 97ebce49b14c46bebc9ec2448d00e1e… 2017-05-12 2017-05-12
HASH 428f22a9afd2797ede7c0583d34a052… 2017-05-12 2017-05-12
HASH 9588f2ef06b7e1c8509f32d8eddfa18… 2017-05-12 2017-05-12
HASH 85ce324b8f78021ecfc9b811c748f19… 2017-05-12 2017-05-12
HASH 62d828ee000e44f670ba322644c2351… 2017-05-12 2017-05-12
HASH b43b234012b8233b3df6adb7c0a3b2b… 2017-05-12 2017-05-12
HASH e18fdd912dfe5b45776e68d578c3af3… 2017-05-12 2017-05-12
HASH eb47cd6a937221411bb8daf35900a98… 2017-05-12 2017-05-12
HASH a1d9cd6f189beff28a0a49b10f8fe45… 2017-05-12 2017-05-12
HASH 5c1f4f69c45cff9725d9969f9ffcf79… 2017-05-12 2017-05-12
HASH fb0b6044347e972e21b6c376e37e111… 2017-05-12 2017-05-12
IPv4 193.23.244.244 2017-05-12 2017-05-12
IPv4 79.172.193.32 2017-05-12 2017-05-12
IPv4 188.166.23.127 2017-05-12 2017-05-12
IPv4 2.3.69.209 2017-05-12 2017-05-12
IPv4 81.30.158.223 2017-05-12 2017-05-12
IPv4 213.61.66.116 2017-05-12 2017-05-12
IPv4 50.7.161.218 2017-05-12 2017-05-12
IPv4 212.47.232.237 2017-05-12 2017-05-12
IPv4 146.0.32.144 2017-05-12 2017-05-12

Related Reports

« Back