WannaCry

NETSCOUT Blog
by ASERT Team on

Information regarding the WannaCry ransomware is spreading as quickly as the malware itself and is expected to do so throughout the weekend. This blog provides some information from our malware processing system that may, or may not be, available elsewhere.

The WannaCry ransomware propagates by exploiting a remote code execution vulnerability in Microsoft Windows that surfaced via the Shadowbrokers dump on April 14th. Microsoft released a patch on March 14th. Systems should be patched or SMBv1/CIFS disabled immediately to reduce the likelihood of infection:

Microsoft Security Bulletin MS17-010 – Critical - https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010

Additionally, appropriate network segmentation is always a best practice and should also be used to limit the exposure of Microsoft SMB not only externally, but on internal networks as well. The following information is derived from dynamic analysis of 14 WannaCry samples and is provided as additional context for incident responders:

Behavioral Signatures from Malware Sandbox:

  • Adds autostart object
  • Dumps and runs batch script
  • Modifies registry autorun entries
  • Creates executable in application data folder
  • Modifies file attributes via attrib.exe
  • Modifies Windows Registry from the command line
  • Renames file on boot

Mutexes:

  • Global\MsWinZonesCacheCounterMutexA

Created Files of Interest:

  • !Please Read Me!.txt
  • @WanaDecryptor@.exe
  • tor.exe
  • taskdl.exe
  • *.bat
Posted In
  • Malware
  • Threat Briefs
  • Vulnerabilities