20170608_report_2.pdf (2 MB)

WannaCry spread worm-like across Windows hosts by probing SMB services for the MS17-010 remote code execution vulnerability and using SMB response values to decide whether a target was vulnerable or already compromised. The infection flow used SMB negotiation, session setup, tree connect, transaction, transaction2, NT transact, transaction2 secondary, and echo messages before delivering shellcode and an encrypted malicious DLL. On the victim system, the DLL was decrypted as launcher.dll, injected into lsass.exe, and executed through its PlayGame export to create and launch mssecsvc.exe, after which file encryption and further propagation began. The report also notes Tor-based external communication, with a renamed Tor component listening on local port 9050 as a proxy for actions such as payment checks, and recommends isolating systems, blocking SMB ports 137, 138, 139, and 445, and applying MS17-010.