WannaCry IOCs and Technical Details

Technical Details

It is currently unclear whether this payload is delivered via malicious attachment or through the WAN using the FuzzBunch EternalBlue SMB exploit.

The malware behaves much like typical ransomware during execution on the victim’s machine.

Below are the operations that are ran via cmd.exe:

/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

/c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v “zvcytmeqpytz910” /t REG_SZ /d “\”C:\tasksche.exe\”” /f 

Deletes shadow copies, disables recovery, and sets the “ignoreallfailures” at startup. Victims are reporting that the machines are getting the BSoD or being prompted to reboot. Once rebooted, they are greeted with the ransom.

Palo Alto Networks Customers with Threat Subscription

Palo Alto Networks released this emergency content update to modify coverage for a Microsoft SMB Remote Code Execution Vulnerability for exploits seen in the wild related to the WanaCryptor ransomware attacks.  Customers are advised to upgrade all firewalls and appliances to the latest version of Content Apps and Threats and review policies to ensure desired actions are configured on all security policies.

Modified Vulnerability Signatures (1)

SNORT Emerging Threat Rule

• http://docs.emergingthreats.net/bin/view/Main/2024218

Sandbox Analysis

• https://www.hybrid-analysis.com/sample/57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4?environmentId=100
• https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/?environmentId=100
• https://www.hybrid-analysis.com/sample/b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25?environmentId=100

Indicators of Compromise

• https://community.blueliv.com/#!/s/5915f47582df411402e55726

IP Addresses and Domains

IPv4       197(.)231.221.211

IPv4       128(.)31.0.39

IPv4       149(.)202.160.69

IPv4       46(.)101.166.19

IPv4       91(.)121.65.179

URL       hxxp://www(.)btcfrog(.)com/qr/bitcoinpng(.)php?address

URL hxxp://www(.)rentasyventas(.)com/incluir/rk/imagenes(.)html

URL hxxp://www(.)rentasyventas(.)com/incluir/rk/imagenes(.)html?retencion=081525418

URL       hxxp://gx7ekbenv2riucmf(.)onion

URL       hxxp://57g7spgrzlojinas(.)onion

URL       hxxp://xxlvbrloxvriy2c5(.)onion

URL       hxxp://76jdd2ir2embyv47(.)onion

URL       hxxp://cwwnhwhlz52maqm7(.)onion

URL       hxxp://197.231.221(.)211           Port:9001

URL       hxxp://128.31.0(.)39                    Port:9191

URL       hxxp://149.202.160(.)69             Port:9001

URL       hxxp://46.101.166(.)19               Port:9090

URL       hxxp://91.121.65(.)179               Port:9001

Hashes