cephurs

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the viru

#petya #petrWrap #notPetya

Win32/Diskcoder.Petya.C

Ransomware attack.

About

This gist was built by the community of the researchers and was scribed by Kir and Igor from the QIWI/Vulners. We are grateful for the help of all those who sent us the data, links and information. Together we can make this world a better place!

Gist updates

Links describing the leaked EQ Group tools for Windows

Repositories and ports

Lost in Translation - A repository of the leaked tools
MS17-010 - Port of some of the exploits to Windows 10

	#/etc/pam.d/system-auth
	#%PAM-1.0

	# Jump two rules if login succeeds.
	auth [success=2 default=ignore] pam_unix.so nullok_secure
	auth optional pam_exec.so /home/pamcam.sh
	auth requisite pam_deny.so

	# User gets here if authentication is successful. No denying, no cam module.
	auth required pam_unix.so try_first_pass nullok


	" _ _ "
	" _ /\|\| . . \|\|\ _ "
	" ( } \\|\|D ' ' ' C\|\|/ { % "
	" \| /\__,=_[_] ' . . ' [_]_=,__/\ \|"
	" \|_\_ \|----\| \|----\| _/_\|"
	" \| \|/ \| \| \| \| \\| \|"
	" \| /_ \| \| \| \| _\ \|"

	It is all fun and games until someone gets hacked!

	function Get-InjectedThread
	{
	<#

	.SYNOPSIS

	Looks for threads that were created as a result of code injection.

	.DESCRIPTION

	Windows Registry Editor Version 5.00

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskdl.exe]
	"Debugger"="taskkill /F /IM "

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskse.exe]
	"Debugger"="taskkill /F /IM "

	[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wannacry.exe]
	"Debugger"="taskkill /F /IM "

	# requires PSReflect.ps1 to be in the same directory as this script
	. .\PSReflect.ps1

	$Module = New-InMemoryModule -ModuleName RegHide
	# Define our structs.

	# https://msdn.microsoft.com/en-us/library/windows/hardware/ff564879(v=vs.85).aspx
	# typedef struct _UNICODE_STRING {
	# USHORT Length;
	# USHORT MaximumLength;

	# A port of Joakim Schicht's RegKeyFixer in PowerShell.
	# https://github.com/jschicht/RegKeyFixer
	#
	# This script will recursively search keys starting from the Keyname
	# for any value entry names with null characters
	# Example usage:
	# $SID = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
	# $KeyName = "\Registry\User\$SID\SOFTWARE\Microsoft\Windows\CurrentVersion"
	# $Results = Get-HiddenNames -KeyName $KeyName
	# $Results \| Remove-HiddenNames

	#!/bin/bash

	# small tool to retreive vk.com (vkontakte) users hidden metadata (state, access, dates, counts, etc) anonymously (without login)

	# sudo apt install curl

	parse(){
	local IFS=\>
	read -d \< CELL VALUE
	}