WannaCry IOCs and Technical Details

Technical Details

It is currently unclear whether this payload is delivered via malicious attachment or through the WAN using the FuzzBunch EternalBlue SMB exploit.

The malware behaves much like typical ransomware during execution on the victim’s machine.

Below are the operations that are ran via cmd.exe:

/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

/c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v “zvcytmeqpytz910” /t REG_SZ /d “\”C:\tasksche.exe\”” /f 

Deletes shadow copies, disables recovery, and sets the “ignoreallfailures” at startup. Victims are reporting that the machines are getting the BSoD or being prompted to reboot. Once rebooted, they are greeted with the ransom.

Palo Alto Networks Customers with Threat Subscription

Palo Alto Networks released this emergency content update to modify coverage for a Microsoft SMB Remote Code Execution Vulnerability for exploits seen in the wild related to the WanaCryptor ransomware attacks.  Customers are advised to upgrade all firewalls and appliances to the latest version of Content Apps and Threats and review policies to ensure desired actions are configured on all security policies.

Modified Vulnerability Signatures (1)

SeverityIDAttack NameCVE IDVendor IDDefault ActionMinimum PAN-OS Version
critical32422Microsoft Windows SMB Remote Code Execution VulnerabilityCVE-2017-0144
CVE-2017-0146
MS17-010reset-both5.0.0

SNORT Emerging Threat Rule


Sandbox Analysis


Indicators of Compromise


IP Addresses and Domains

IPv4       197(.)231.221.211

IPv4       128(.)31.0.39

IPv4       149(.)202.160.69

IPv4       46(.)101.166.19

IPv4       91(.)121.65.179

URL       hxxp://www(.)btcfrog(.)com/qr/bitcoinpng(.)php?address

URL hxxp://www(.)rentasyventas(.)com/incluir/rk/imagenes(.)html

URL hxxp://www(.)rentasyventas(.)com/incluir/rk/imagenes(.)html?retencion=081525418

URL       hxxp://gx7ekbenv2riucmf(.)onion

URL       hxxp://57g7spgrzlojinas(.)onion

URL       hxxp://xxlvbrloxvriy2c5(.)onion

URL       hxxp://76jdd2ir2embyv47(.)onion

URL       hxxp://cwwnhwhlz52maqm7(.)onion

URL       hxxp://197.231.221(.)211           Port:9001

URL       hxxp://128.31.0(.)39                    Port:9191

URL       hxxp://149.202.160(.)69             Port:9001

URL       hxxp://46.101.166(.)19               Port:9090

URL       hxxp://91.121.65(.)179               Port:9001


Hashes

https://gist.github.com/Blevene/42bed05ecb51c1ca0edf846c0153974a
Hash-MD55a89aac6c8259abbba2fa2ad3fcefc6e
Hash-MD505da32043b1e3a147de634c550f1954d
Hash-MD58e97637474ab77441ae5add3f3325753
Hash-MD5c9ede1054fef33720f9fa97f5e8abe49
Hash-MD5f9cee5e75b7f1298aece9145ea80a1d2
Hash-MD5638f9235d038a0a001d5ea7f5c5dc4ae
Hash-MD580a2af99fd990567869e9cf4039edf73
Hash-MD5c39ed6f52aaa31ae0301c591802da24b
Hash-MD5db349b97c37d22f5ea1d1841e3c89eb4
Hash-MD5f9992dfb56a9c6c20eb727e6a26b0172
Hash-MD546d140a0eb13582852b5f778bb20cf0e
Hash-MD55bef35496fcbdbe841c82f4d1ab8b7c2
Hash-MD53c6375f586a49fc12a4de9328174f0c1
Hash-MD5246c2781b88f58bc6b0da24ec71dd028
Hash-MD5b7f7ad4970506e8547e0f493c80ba441
Hash-MD52b4e8612d9f8cdcf520a8b2e42779ffa
Hash-MD5c61256583c6569ac13a136bfd440ca09
Hash-MD531dab68b11824153b4c975399df0354f
Hash-MD554a116ff80df6e6031059fc3036464df
Hash-MD5d6114ba5f10ad67a4131ab72531f02da
Hash-MD505a00c320754934782ec5dec1d5c0476
Hash-MD5f107a717f76f4f910ae9cb4dc5290594
Hash-MD57f7ccaa16fb15eb1c7399d422f8363e8
Hash-MD584c82835a5d21bbcf75a61706d8ab549
Hash-MD5bec0b7aff4b107edd5b9276721137651
Hash-MD586721e64ffbd69aa6944b9672bcabb6d
Hash-MD5509c41ec97bb81b0567b059aa2f50fe8
Hash-MD58db349b97c37d22f5ea1d1841e3c89eb
Hash-SHA16fbb0aabe992b3bda8a9b1ecd68ea13b668f232e
Hash-SHA2560a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
Hash-SHA25621ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd
Hash-SHA256228780c8cff9044b2e48f0e92163bd78cc6df37839fe70a54ed631d3b6d826d5
Hash-SHA2562372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450
Hash-SHA2562ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
Hash-SHA2563ecc7b1ee872b45b534c9132c72d3523d2a1576ffd5763fd3c23afa79cf1f5f9
Hash-SHA25643d1ef55c9d33472a5532de5bbe814fefa5205297653201c30fdc91b8f21a0ed
Hash-SHA25649fa2e0131340da29c564d25779c0cafb550da549fae65880a6b22d45ea2067f
Hash-SHA2564a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
Hash-SHA256616e60f031b6e7c4f99c216d120e8b38763b3fafd9ac4387ed0533b15df23420
Hash-SHA25666334f10cb494b2d58219fa6d1c683f2dbcfc1fb0af9d1e75d49a67e5d057fc5
Hash-SHA2568b52f88f50a6a254280a0023cf4dc289bd82c441e648613c0c2bb9a618223604
Hash-SHA2568c3a91694ae0fc87074db6b3e684c586e801f4faed459587dcc6274e006422a4
Hash-SHA256aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56
Hash-SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
Hash-SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Hash-SHA256f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494
Hash-SHA25609a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
Hash-SHA256149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff
Hash-SHA256190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e
Hash-SHA25624d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
Hash-SHA2562584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
Hash-SHA2564186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
Hash-SHA256593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af
Hash-SHA2565ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
Hash-SHA2567c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff
Hash-SHA2569b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
Hash-SHA2569fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977
Hash-SHA256b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0
Hash-SHA256b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4
Hash-SHA256c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
Hash-SHA256d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127
Hash-SHA256f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
Hash-SHA25611d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49
Hash-SHA25616493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab
Hash-SHA2566bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7
Hash-SHA256b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7
Hash-SHA256e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079
Hash-SHA256e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96

You may also be interested in…