WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

2017-05-24 rain1

https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

Thumbnail for WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

WannaCry/WannaDecrypt0r is described as a ransomware worm for unpatched Windows systems vulnerable to MS17-010, using EternalBlue for SMB propagation through exposed port 445 or hosts already infected with DOUBLEPULSAR. The factsheet notes that the malware can run in active RDP sessions, install the DOUBLEPULSAR backdoor, corrupt shadow volumes, and encrypt broad classes of documents, archives, media, databases, source code, and key or certificate files. A hard-coded kill-switch domain caused the original worm to exit when reachable, while a later damaged variant removed that check but retained the same encryption keys and Bitcoin addresses. The source also documents per-infection RSA-2048 key generation, AES-128-CBC file encryption, and Microsoft MS17-010 patch guidance for affected Windows versions.

Indicators of Compromise

Type Value First Seen Last Seen
DOMAIN blockchain.info 2017-05-24 2023-04-10
DOMAIN xxlvbrloxvriy2c5.onion 2017-05-12 2021-12-02
DOMAIN cwwnhwhlz52maqm7.onion 2017-05-12 2021-12-02
DOMAIN gx7ekbenv2riucmf.onion 2017-05-12 2021-12-02
DOMAIN 76jdd2ir2embyv47.onion 2017-05-12 2021-12-02
DOMAIN 57g7spgrzlojinas.onion 2017-05-12 2021-12-02
EMAIL [email protected] 2017-05-24 2017-05-24
URL https://www.nrk.no/telemark/eli… 2017-05-24 2017-05-24
URL https://haxx.in/key1.bin 2017-05-24 2017-05-24
URL http://www.lefigaro.fr/flash-ec… 2017-05-24 2017-05-24
URL https://haxx.in/key2.bin 2017-05-24 2017-05-24
URL https://pastebin.com/aaW2Rfb6 2017-05-24 2017-05-24
URL https://pastebin.com/xZKU7Ph1 2017-05-24 2017-05-24
URL https://pastebin.com/0LrH05y2 2017-05-24 2017-05-24

Related Reports

« Back