WannaCry IoCs – TLP White

H-ISAC consolidated and more importantly CONFIRMED indicators and notes on WannaCry

 

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.

 

*Any reproduction or reposting of this content requires proper credit/attribution to H-ISAC.

 

 

FILE HASHES (various sources)

 

SHA-256
0345782378ee7a8b48c296a120625fd439ed8699ae857c4f84befeb56e727366
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49
149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff
16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab
190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e
201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79
57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4
593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af
5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff
9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13
9e60269c5038de8956a1c6865ebea8627a440a6e839f61e940a8d5f2c6ea4982
9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977
B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
a3900daf137c81ca37a4bf10e9857526d3978be085be265393f98cb075795740
b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7
b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0
b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8
d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696
e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079
e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb
f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a

 

SHA1

 

51e4307093f8ca8854359c0ac882ddca427a813c
87420a2791d18dad3f18be436045280a4cc16fc4
e889544aff85ffaf8b0d0da705105dee7c97fe26
45356a9dd616ed7161a3b9192e2f318d0ab5ad10
bd44d0ab543bf814d93b719c24e90d8dd7111234

 

MD5

 

05a00c320754934782ec5dec1d5c0476
246c2781b88f58bc6b0da24ec71dd028
2b4e8612d9f8cdcf520a8b2e42779ffa
31dab68b11824153b4c975399df0354f
3c6375f586a49fc12a4de9328174f0c1
46d140a0eb13582852b5f778bb20cf0e
4fef5e34143e646dbf9907c4374276f5
4fef5e34143e646dbf9907c4374276f5
509c41ec97bb81b0567b059aa2f50fe8
509c41ec97bb81b0567b059aa2f50fe8
54a116ff80df6e6031059fc3036464df
5bef35496fcbdbe841c82f4d1ab8b7c2
5bef35496fcbdbe841c82f4d1ab8b7c2
638f9235d038a0a001d5ea7f5c5dc4ae
775a0631fb8229b2aa3d7621427085ad
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
7f7ccaa16fb15eb1c7399d422f8363e8
80a2af99fd990567869e9cf4039edf73
8495400f199ac77853c53b5a3f278f3e
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
86721e64ffbd69aa6944b9672bcabb6d
8db349b97c37d22f5ea1d1841e3c89eb
8dd63adb68ef053e044a5a2f46e0d2cd
8dd63adb68ef053e044a5a2f46e0d2cd
b0ad5902366f860f85b892867e5b1e87
b0ad5902366f860f85b892867e5b1e87
b7f7ad4970506e8547e0f493c80ba441
bec0b7aff4b107edd5b9276721137651
c39ed6f52aaa31ae0301c591802da24b
c61256583c6569ac13a136bfd440ca09
d6114ba5f10ad67a4131ab72531f02da
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
db349b97c37d22f5ea1d1841e3c89eb4
e372d07207b4da75b3434584cd9f3450
e372d07207b4da75b3434584cd9f3450
f107a717f76f4f910ae9cb4dc5290594
f107a717f76f4f910ae9cb4dc5290594
f529f4556a5126bba499c26d67892240
f529f4556a5126bba499c26d67892240
f9992dfb56a9c6c20eb727e6a26b0172
f9cee5e75b7f1298aece9145ea80a1d2

 

URLS

 

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com – Kill-Switch (NEEDS TO BE WHITELISTED)

 

ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com – Possible new sample d5dcd28612f4d6ffca0cfeaefd606bcf

 

ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com – Possible new sample 4287e15af6191f5cab1c92ff7be8dcc3

 

 

TOR PAYMENT SITES

 

57g7spgrzlojinas[.]onion
76jdd2ir2embyv47[.]onion
Xxlvbrloxvriy2c5[.]onion
cwwnhwhlz52maqm7[.]onion
gx7ekbenv2riucmf[.]onion
sqjolphimrr7jqw6[.]onion
xxlvbrloxvriy2c5[.]onion

 

EXECUTABLES

 

C:WINDOWStasksche.exe
C:Windowsmssecsvc.exe

 

REGISTRY KEYS

 

HKEY_CURRENT_USERSoftwareWanaCrypt0r
HKEY_LOCAL_MACHINESoftwareWanaCrypt0r

 

BITCOIN WALLETS

 

https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

 

As of 5/15/17 – 207 payments / 31.21475313 BTC / $54,528

 

AFFECTED FILE TYPES INCLUDE:

 

1. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
2. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
3. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
4. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
5. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
6. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
7. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
8. Less common and nation-specific office formats (.sxw, .odt, .hwp).
9. Virtual machine files (.vmx, .vmdk, .vdi).

 

RANSOMWARE FILE EXTENSIONS

 

.wnry, .wcry, .wncry, and .wncryt

 

GOOD ANALYSIS WEBSITES

 

– www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis
– blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/
– intel.malwaretech.com/botnet/wcrypt/?t=24h&bid=all

 

MICROSOFT Guidance

 

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

 

SAMPLES TESTING RESULTS

 

– Attempts to infect a XP Pro SP2/SP3 device via SMB were unsuccessful. All attempts resulted in a BSOD on the target and auto reboot. Infection executed locally is successful
– Confirmed that disabling SMBv1 on Win7 Pro SP1 protects it from infection via SMB.
– Attempts to locally infect the same Win7 lab device were unsuccessful. DNS query for kill-switch domain was observed after execution (NXDOMAIN response was forged) but ransomware nor worm components executed.

 

MITIGATION STEPS

 

– Install MS17-010 patch (http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598)
– PowerShell cmdlet used to disable SMBv1: Set-ItemProperty -Path “HKLM:SYSTEMCurrentControlSetServicesLanmanServerParameters” SMB1 -Type DWORD -Value 0 -Force
– Confirmed that disabling SMBv1 via PowerShell does not require a reboot
– Switch ACL to turn off SMB services

 

SNORT SIGS (http://docs.emergingthreats.net/bin/view/Main/2024218)

 

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

 

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; metadata: former_category EXPLOIT; classtype:trojan-activity; sid:2024218; rev:1;)

 

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

 

Courtesy of the H-ISAC Threat Intelligence Committee