Professional Documents
Culture Documents
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
Software BACK
F R I D AY, M AY 1 2 , 2 0 1 7
Library Daemonlogger
AWBO
SpamCop
Exercises
Mo⸰�ow
Support Communities
PE-Sig
About
Immunet
MBR Filter
Blog
FIRST
LockyDump
E X E C U T I V E S U M M A RY FreeSentry
Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a
persistent backdoor that is generally used to access and execute code on previously
compromised systems. This allows for the installation and activation of additional software,
such as malware. This backdoor is typically installed following successful exploitation of SMB
vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is
associated with an offensive exploitation framework that was released as part of the Shadow
Brokers cache that was recently released to the public. Since its release it has been widely
analyzed and studied by the security industry as well as on various underground hacking forums.
WannaCry does not appear to be only be leveraging the ETERNALBLUE modules associated with
this attack framework, it is simply scanning accessible servers for the presence of the
http://blog.talosintelligence.com/2017/05/wannacry.html 1/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
this attack framework, it is simply scanning accessible servers for the presence of the
DOUBLEPULSAR backdoor. In cases where it identiŘes a host that has been implanted with this
Software
Vulnerability
Reputation
Support
backdoor, it simply leverages the existing backdoorCommunities
Center
Information
functionality available and uses it to infect
the system with WannaCry. In cases where the system has not been previously compromised
and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial
Software BACK
exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been
widely observed across the internet.
Vulnerability Information Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
Library Daemonlogger
AWBO
SpamCop Exercises the situation may change as we learn
Please note this threat is still under active investigation,
more or as our adversary responds to our actions. Talos will continue to actively monitor and
Mo⸰�ow
Support
analyzeCommunities
this situation for new developments and respond accordingly. As a result, new coverage
may be developed or existing coveragePE-Sig
adapted and/or modiŘed at a later date. For current
information, please refer to your Firepower Management Center or Snort.org.
About
Immunet
LockyDump
FreeSentry
Flokibot Tools
ROPMEMU
I N F R A S T R U C T U R E A N A LY S I S
Cisco Umbrella researchers Řrst observed requests for one of WannaCry's killswitch domains
(iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) starting at 07:24 UTC, then rising to a peak
of just over 1,400 nearly 10 hours later.
http://blog.talosintelligence.com/2017/05/wannacry.html 2/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
Software BACK
Microsoft
AMP
ClamAV
Threat
Community
Advisories
Naming Conventions
Reputation Center
The domain composition looks almostProject
Razorback
IP Blacklist
human AspisDownload
typed, with most characters falling into the top
and home rows of a keyboard.
Library Daemonlogger
AWBO
SpamCop
Exercises
Communication to this domain might be categorized as a kill switch domain due to its role in the
Mo⸰�ow
Support Communities
overall execution of the malware:
PE-Sig
About
Immunet
MBR Filter
Blog
FIRST
LockyDump
FreeSentry
The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out
Flokibot Tools
the infection. However if it succeeds, the subroutine exits. The domain is registered to a well
known sinkhole, effectively causing this sample
Synful to terminate
Knock Scanner its malicious activity.
ROPMEMU
The raw registration information re-enforces this as it was registered on 12 May 2017:
http://blog.talosintelligence.com/2017/05/wannacry.html 3/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
Software BACK
M A LWA R E A N A LY S I S
Vulnerability Information Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
An initial Řle mssecsvc.exe drops and executes the Řle tasksche.exe. The kill switch domain is
then checked. Next, the service mssecsvc2.0
AMP
ClamAV isCommunity
Microsoft created.
Threat
Advisories
Naming This service executes the Řle
Conventions
Reputation Center
mssecsvc.exe with a different entry point than the initial execution. This second execution
Razorback
IP
Project
Blacklist
checks the IP address of the infected machine Aspis
andDownload
attempts to connect to port 445 TCP of each
IP address in the same subnet. When the malware successfully connects to a machine, a
Library Daemonlogger
AWBO
SpamCopExercises
connection is initiated and data is transferred. We believe this network traŘc is an exploit
payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed
Mo⸰�ow
Support Communities
by Microsoft in bulletin MS17-010. We currently don't have a complete understanding of the SMB
traŘc, and exactly what conditions need to be present for it to spread using this method.
PE-Sig
About
Immunet
The Řle tasksche.exe checks for disk drives, including network shares and removable storage
devices mapped to a letter, such as 'C:/', 'D:/' etc. The malware then checks for Řles with a Řle
Careers Teslacrypt Decryption Tool
extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the
Řles are being encrypted, the malware MBRcreates a new Řle directory 'Tor/' into which it drops
Filter
Blog
tor.exe and nine dll Řles used by tor.exe. Additionally, it drops two further Řles: taskdl.exe &
FIRST
taskse.exe. The former deletes temporary Řles while the latter launches @wanadecryptor@.exe
to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in
LockyDump
and of itself the ransomware, only the ransom note. The encryption is performed in the
background by tasksche.exe.
FreeSentry
WannaCry uses various methods to attempt to aid its execution by leveraging both attrib.exe to
modify the +h ⸰�ag (hide) and also icacls.exe to allow full access rights for all users, "icacls .
http://blog.talosintelligence.com/2017/05/wannacry.html 4/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
modify the +h ⸰�ag (hide) and also icacls.exe to allow full access rights for all users, "icacls .
/grant Everyone:F /T /C /Q"
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
The malware has been designed as a modular service. It appears to us that the executable Řles
associated with the ransomware have been written by a different individual than whomever
Software
developed the service module. Potentially, thisBACK
means that the structure of this malware can be
used to deliver and run different malicious payloads.
Vulnerability Information Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
After encryption is complete, the malware displays the following ransomware note. One
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
interesting aspect of this ransomware variant is that the ransom screen is actually an executable
Reputation Center
and not an image, HTA Řle, or text Řle.
Razorback
IP
Project
Blacklist
AspisDownload
Library Daemonlogger
AWBO
SpamCop
Exercises
Mo⸰�ow
Support Communities
PE-Sig
About
Immunet
MBR Filter
Blog
FIRST
LockyDump
FreeSentry
Flokibot Tools
ROPMEMU
Organisations should be aware that there is no obligation for criminals to supply decryption keys
following the payment of a ransom. Talos strongly urges anyone who has been compromised to
avoid paying the ransom if possible as paying the ransom directly funds development of these
malicious campaigns.
M I T I G AT I O N A N D P R E V E N T I O N
Organizations looking to mitigate the risk of becoming compromised should follow the following
recommendations:
Ensure all Windows-based systems are fully patched. At a very minimum, ensure
Microsoft bulletin MS17-010 has been applied.
In accordance with known best practices, any organization who has SMB publically
accessible via the internet (ports 139, 445) should immediately block inbound traŘc.
http://blog.talosintelligence.com/2017/05/wannacry.html 5/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR
traŘc on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR
networks.
Software BACK
In addition to the mitigations listed above, Talos strongly encourages organizations take the
following industry-standard
Vulnerability Information recommendedVulnerability
Email
Snort Community
& Web
best Reports
TraŘc Reputation
practices to prevent attacks and campaigns like
this and similar ones.
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
Reputation Center
Ensure your organization is running
IP an actively
Razorback
Project
Blacklist
Aspis supported operating system that
Download
receives security updates.
Library Daemonlogger
AWBO
SpamCop
Have effective patch management that Exercises
deploys security updates to endpoints and
other critical parts of your infrastructure in a timely manner.
Mo⸰�ow
Support Communities
Run anti-malware software on your system and ensure you regularly receive malware
signature updates.
PE-Sig
About Implement a disaster recovery plan that includes backing up and restoring data from
devices that are kept o跸�ine. Adversaries
Immunetfrequently target backup mechanisms to
limit the possibilities a user may be able to restore their Řles without paying the
Careersransom. Teslacrypt Decryption Tool
CO V E R A G E MBR Filter
Snort Rule: 42329-42332, 42340, 41978
Blog
FIRST
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest
LockyDump
rule pack available for purchase on Snort.org.
FreeSentry
Additional ways our customers can detect and block this threat are listed below.
Flokibot Tools
Advanced Malware Protection
Synful Knock Scanner (AMP) is ideally suited to prevent
the execution of the malware used
Cisco Smart Install Scanner
by these threat actors.
ROPMEMU
CWS or WSA web scanning
prevents access to malicious
websites and detects malware
used in these attacks.
http://blog.talosintelligence.com/2017/05/wannacry.html 6/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Umbrella prevents DNS resolution of the domains associated with malicious activity.
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
IoCs
Software BACK
File names
Vulnerability Information Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
b.wnry
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622
Reputation Center
c.wnry
Razorback
IP
Project
Blacklist
Aspis
Download
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c r.wnry
Library Daemonlogger
AWBO
SpamCop Exercises
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b s.wnry
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
Mo⸰�ow
taskdl.exe
Support Communities
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
PE-Sig
taskse.exe
About
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
Immunet
t.wnry
Careersb9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
Teslacrypt Decryption Tool
u.wnry
MBR Filter
Blog
CnC IPs FIRST
188[.]166[.]23[.]127:443
LockyDump
193[.]23[.]244[.]244:443
2[.]3[.]69[.]209:9001 FreeSentry
146[.]0[.]32[.]144:9001
50[.]7[.]161[.]218:9001 Flokibot Tools
217.79.179[.]77
Synful Knock Scanner
128.31.0[.]39
213.61.66[.]116 Cisco Smart Install Scanner
212.47.232[.]237
ROPMEMU
81.30.158[.]223
79.172.193[.]32
89.45.235[.]21
38.229.72[.]16
188.138.33[.]220
LockyDump
P O S T E D B Y A L E X A N D E R C H I U AT 6 : 0 9 P M
L A B E L S : C O V E R A G E , M A LWA R E R E S E A R C H , M S 1 7- 0 1 0 , R A N S O M WA R E
43 COMMENTS:
Vulnerability Information
SIMPLE#CSS Vulnerability
Email
Snort
MAY 12, 2017 AT 6:38 Community
& Web Reports
PM TraŘc Reputation
Microsoft
AMP
ClamAV
Threat
Community
Advisories
Naming Conventions
Are you guys aware of Meraki's coverage of this threat?
Reputation Center
Project
Razorback
IP Blacklist
AspisDownload
Reply
Library SpamCop
Daemonlogger
AWBO Exercises
Replies
Mo⸰�ow
Support Communities
CRAIG WILLIAMS MAY 13, 2017 AT 8:48 AM
PE-Sig
About Meraki's security devices run snort, AMP, and Umbrella, the coverage is outlined
above. Immunet
LockyDump
MAIQUEL MAY 12, 2017 AT 6:44 PM
FreeSentry
Nice post.
Tks. Flokibot Tools
Wunderbar !
Reply
Wunderbar !
Reply
Software BACK
ABOOD NOUR MAY 12, 2017 AT 7:52 PM
BestInformation
Vulnerability analysis so far! Thanks! Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation
Reply ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Project
Razorback
IP Blacklist
AspisDownload
LockyDump
MARIONFSU MAY 12, 2017 AT 9:32 PM
FreeSentry
Always articulate!
Flokibot Tools
Reply
Synful Knock Scanner
ROPMEMU
Great work!
Reply
Reply
http://blog.talosintelligence.com/2017/05/wannacry.html 10/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Reply
Support Communities
Software
Vulnerability
Reputation Center
Information
TIM WOOLFORD MAY 13, 2017 AT 1:39 AM
Software BACK
Can you elaborate why a CCC ToR authority network address is in the CnC list above?
(second
Vulnerability entry, 193.23.244.244)Snort
Information Vulnerability
Email Community
& Web Reports
TraŘc Reputation
Reply ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Replies Project
Razorback
IP Blacklist
AspisDownload
Library
WARREN MERCER MAYSpamCop
Daemonlogger
AWBO Exercises
13, 2017 AT 2:59 PM
Mo⸰�ow
Support Communities
Hi Tim,
PE-Sig
The CCC Tor authority is indeed a CCC node, however, it is part of the indicators
About
associated with our samples.
ImmunetThe Tor nodes are all Tor nodes used throughout
our analysis. It's also fair to say these could be speciŘc to us as, I am sure you
Careers know, the Tor nodes areTeslacrypt Decryption
not something a userTool
can conŘgure.
MBR Filter
Blog In short - we publish all related IOCs. More information is good information.
FIRST
Reply
LockyDump
FreeSentry
Flokibot Tools
JT TWOTEDS MAY 13, 2017 AT 2:00 AM
Synful Knock Scanner
Thanks for a great article.
Cisco Smart Install Scanner
What are the attack vectors? The guardian said one vector was email. Is ESA providing
ROPMEMU
any protection?
Reply
Replies
A likely point of confusion was the Jaff ransomeware, another new type of
ransomware (so 2 new types in 2 days) that did spread via email, used the
same executable name. It’s possible this lead some folks to the wrong
conclusion. Many sites are including pictures of emails that are clearly Jaff. It’s
also possible we’ve not seen everything yet but only time will tell. As we state in
the blog it’s an ongoing investigation.
http://blog.talosintelligence.com/2017/05/wannacry.html 11/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Reply
Support Communities
Software
Vulnerability
Reputation Center
Information
Software BACK
Library Daemonlogger
AWBO
SpamCop
Exercises
MOONSPIRIT MAY 13, 2017 AT 2:51 AM
Mo⸰�ow
Support Communities
Would the malware use the proxy server conŘgured on the host to check the "kill switch"
website? or would it need directPE-Sig
access for name resolution + a HTTP GET request?
About
Reply Immunet
FIRST
No. If a proxy is required this will effectively break the current kill switch.
LockyDump
Reply
FreeSentry
Flokibot Tools
Reply
Reply
Reply
http://blog.talosintelligence.com/2017/05/wannacry.html 12/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Reply
Support Communities
Software
Vulnerability
Reputation Center
Information
BOBW MAY 13, 2017 AT 4:40 AM
Library Daemonlogger
AWBO
SpamCop
Exercises
PACKET84 MAY 13, 2017 AT 4:46 AM
Mo⸰�ow
Support Communities
Great effort, good work getting to the weeds of this.
PE-Sig
About Reply
Immunet
Careers
RON SOM MAY 13, 2017 AT 4:56Teslacrypt
AM Decryption Tool
MBR Filter
Blog Great post, excellent work!!
FIRST
Reply
LockyDump
Flokibot
Great analysis but you may want Tools the kill switch domain name. If not, lots of
to withdraw
people reading your page may be tempted to query it, polluting all the maps that are
keeping track of the infection ...Synful Knock
just my 0.5 Scanner
ROPMEMU
Replies
Reply
Bravo!
http://blog.talosintelligence.com/2017/05/wannacry.html 13/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Reply
Support Communities
Software
Vulnerability
Reputation Center
Information
HERMES ROMERO MAY 13, 2017 AT 7:13 AM
Software BACK
good job guys!
Vulnerability Information Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation
Reply
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
DIMITRIOS STERGIOU MAY 13, Project
Razorback
IP Blacklist
2017 ATAspisDownload
8:43 AM
Library Daemonlogger
AWBO
SpamCopExercises
This was extremely informative, thanks for the write-up
Mo⸰�ow
Support Reply
Communities
PE-Sig
About
MUSSIPEDIA MAY 13, 2017 AT 9:15 AM
Immunet
Replies
Reply
Hi,
Support Communities
Software
Vulnerability
Reputation Center
Information
Any reason why WSA is blocking kill switch domain?
Software BACK
Edin
Vulnerability Information Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation
Reply
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Replies
Project
Razorback
IP Blacklist
AspisDownload
CRAIG WILLIAMS MAY 13, 2017 AT 1:50 PM
Library Daemonlogger
AWBO
SpamCopExercises
The WSA operates as a proxy so it isn't going to work anyway, the call out will
not use proxies. Mo⸰�ow
Support Communities
PE-Sig
About Reply
Immunet
MBR Filter
Blog KRYPTON MAY 13, 2017 AT 2:09 PM
FIRST
Workaround for proxy networks (which have cisco routers) - adjust - DHCP scope to point
to GW for DNS: LockyDump
FreeSentry
ip dns server
ip name-server Flokibot Tools
ip dns primary ns.iuquerfsodp9ifjaposdfjhgosurijfaewrwergwea.com soa
admin.iuquerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Synful Knock Scanner 21600 900 7776000 86400
86400
Cisco Smart Install Scanner
ip host www.iuquerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
ROPMEMU
Reply
Reply
Every single one of the IP addresses listed as cnc servers are actually just tor relays with
the exception of one typo and two IP addresses for torproject.org for downloading tor.
Reply
http://blog.talosintelligence.com/2017/05/wannacry.html 15/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Reply
PE-Sig
About
Immunet
SENSEINYC MAY 13, 2017 AT 4:12 PM
Careers Teslacrypt Decryption Tool
Excellent work. Thank you.
MBR Filter
Blog
Reply
FIRST
LockyDump
Enter your comment... FreeSentry
Flokibot Tools
POST A COMMENT
S U B S C R I B E T O : P O S T C O M M E N T S ( AT O M)
http://blog.talosintelligence.com/2017/05/wannacry.html 16/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Software BACK
Comments
BLOG ARCHIVE
Library SpamCop
Daemonlogger
AWBO Exercises
▼ 2 0 1 7 (67)
▼ M A Y (10) Mo⸰�ow
Support Communities
Player 3 Has Entered the Game: Say Hello to 'Wanna...
Threat Round-up for May 05 - May 12 PE-Sig
AboutJaff Ransomware: Player 2 Has Entered The Game
Immunet
Vulnerability Spotlight: Hangul Word Processor Rem...
Microsoft Patch Tuesday - May 2017
Careers Teslacrypt Decryption Tool
Vulnerability Spotlight: WolfSSL library X.509 Cer...
Vulnerability Spotlight: Power Software PowerISO I...
MBR Filter
Blog Vulnerability Spotlight: AntennaHouse DMC Library ...
FIRST
Gmail Worm Requiring You To Give It A Push And App...
KONNI: A Malware Under The Radar For Years
LockyDump
► A P R I L (17)
► 2 0 1 1 (23)
► 2 0 1 0 (93)
► 2 0 0 9 (146)
► 2 0 0 8 (37)
RECOMMENDED BLOGS
SNORT BLOG
WannaCry Snort coverage
CISCO BLOG
Player 3 Has Entered the Game: Say Hello to ‘WannaCry’
CLAMAV® BLOG
End-of-life announcement for clamav in stable and oldstable
http://blog.talosintelligence.com/2017/05/wannacry.html 17/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Support Communities
Software
Vulnerability
Reputation Center
Information
Software BACK
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Project
Razorback
IP Blacklist
Aspis
Software
Download
MBRCareers
Filter
Blog
Blog
FIRST
LockyDump
CONNECT WITH US
FreeSentry
Flokibot Tools
http://blog.talosintelligence.com/2017/05/wannacry.html 18/19
2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Support Communities
Software
Vulnerability
Reputation Center
Information
BACK
Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Project
Razorback
IP Blacklist
AspisDownload
SpamCop
Daemonlogger
AWBO Exercises
Mo⸰�ow
PE-Sig
Immunet
MBR Filter
FIRST
LockyDump
FreeSentry
Flokibot Tools
ROPMEMU
http://blog.talosintelligence.com/2017/05/wannacry.html 19/19