wcry.md

wcry.md

Ransomware attack hits UK NHS, Spain Telefonica, 74 countries affected.

• Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
• Vector: Windows 7 is vulnerable. It uses EternalBlue MS17-010 to propagate.

Malware samples

• hxxps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
• hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
• hxxps://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE (main dll)

Binary blob in PE crypted with pass 'WNcry@2ol7'

Informative Tweets

• https://twitter.com/kafeine/status/863049739583016960

Cryptography details

• encrypted via AES-128
• AES key generated with a CSPRNG, CryptGenRandom
• AES key is encrypted by RSA

Bitcoin ransom addresses

3 addresses hard coded into the malware.

• https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
• https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
• https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

C&C centers

• gx7ekbenv2riucmf.onion
• 57g7spgrzlojinas.onion
• xxlvbrloxvriy2c5.onion
• 76jdd2ir2embyv47.onion
• cwwnhwhlz52ma.onion

Languages

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese