WannaCry - New Variants Detected!

2017-05-14 Comae

https://www.comae.com/posts/wannacry-new-variants-detected/

Comae analyzed WannaCry variants that appeared after the initial outbreak, including one live sample seen in the wild and one no-kill-switch sample that Kaspersky recovered from VirusTotal. The live variant used the kill-switch domain ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, which the author registered and sinkholed to stop another infection wave. The source lists hashes for the original and new samples and notes that the no-kill-switch build still spread through ETERNALBLUE and DOUBLEPULSAR but did not encrypt files because its ransomware archive was corrupted. A later update flags reported Lazarus attribution links, but the technical evidence in this excerpt centers on variant behavior, kill switches, and sample comparison.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN iuqerfsodp9ifjaposdfjhgosurijfa… 2017-05-12 2023-01-17
HASH 2584e1521065e45ec3c17767c065429… 2017-05-14 2021-12-02
HASH db349b97c37d22f5ea1d1841e3c89eb4 2017-05-12 2021-12-02
HASH 7f7ccaa16fb15eb1c7399d422f8363e8 2017-05-12 2021-12-02
HASH 24d004a104d4d54034dbcffc2a4b19a… 2017-05-12 2021-12-02
HASH 84c82835a5d21bbcf75a61706d8ab549 2017-05-12 2021-12-02
HASH ed01ebfbc9eb5bbea545af4d01bf5f1… 2017-05-12 2021-12-02
HASH 32f24601153be0885f11d62e0a8a2f0… 2017-05-13 2020-03-09
DOMAIN ifferfsodp9ifjaposdfjhgosurijfa… 2017-05-14 2017-05-23
HASH d5dcd28612f4d6ffca0cfeaefd606bcf 2017-05-14 2017-05-14
HASH 07c44729e2c570b37db695323249474… 2017-05-14 2017-05-14
HASH d724d8cc6420f06e8a48752f0da11c66 2017-05-14 2017-05-14

Related Reports

« Back