Cisco's Talos Intelligence Group Blog - Player 3 Has Entered The Game - Say Hello To 'WannaCry'

2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
Software BACK
F R I D AY, M AY 1 2 , 2 0 1 7
Vulnerability Information Vulnerability

Email
Snort Community
& Web Reports
TraŘc Reputation
Player 3 Has Entered the Game: Say Hello to 'WannaCry'
Microsoft
AMP
ClamAV
Threat
Community
Advisories
Naming Conventions
Reputation Center
This post was authored by Martin Lee, Warren Mercer, Paul Rascagneres, and Craig Williams.
Razorback
IP
Project
Blacklist
AspisDownload
Library Daemonlogger
AWBO
SpamCop
Exercises
Mo⸰�ow
Support Communities
PE-Sig
About
Immunet
Careers Teslacrypt Decryption Tool
MBR Filter
Blog
FIRST
LockyDump
E X E C U T I V E S U M M A RY FreeSentry
A major ransomware attack has affected manyTools

Flokibot organizations across the world reportedly
including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The
malware responsible for this attack is aSynful Knock Scanner
ransomware variant known as 'WannaCry'.
Cisco Smart Install Scanner

The malware then has the capability to scan heavily over TCP port 445 (Server Message
Block/SMB), spreading similar to a worm, compromising hosts, encrypting Řles stored on them
ROPMEMU
then demanding a ransom payment in the form of Bitcoin. It is important to note that this is not a
threat that simply scans internal ranges to identify where to spread, it is also capable of
spreading based on vulnerabilities it Řnds in other externally facing hosts across the internet.
Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a
persistent backdoor that is generally used to access and execute code on previously
compromised systems. This allows for the installation and activation of additional software,
such as malware. This backdoor is typically installed following successful exploitation of SMB
vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is
associated with an offensive exploitation framework that was released as part of the Shadow
Brokers cache that was recently released to the public. Since its release it has been widely
analyzed and studied by the security industry as well as on various underground hacking forums.
WannaCry does not appear to be only be leveraging the ETERNALBLUE modules associated with
this attack framework, it is simply scanning accessible servers for the presence of the
http://blog.talosintelligence.com/2017/05/wannacry.html 1/19
this attack framework, it is simply scanning accessible servers for the presence of the
DOUBLEPULSAR backdoor. In cases where it identiŘes a host that has been implanted with this
Software
Vulnerability
Reputation
Support
backdoor, it simply leverages the existing backdoorCommunities
Center
Information
functionality available and uses it to infect
the system with WannaCry. In cases where the system has not been previously compromised
and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial
Software BACK
exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been
widely observed across the internet.
Email
Snort Community
& Web Reports
TraŘc Reputation
Organizations should ensure that devices

AMP running
Microsoft
ClamAVThreat Windows
Community
Advisories are fully patched and deployed in
Naming Conventions
accordance
Reputation with best practices. Additionally, organizations should have SMB ports (139, 445)
Center
blocked from all externally accessible hosts.
Razorback
IP
Project
Blacklist
AspisDownload
AWBO
SpamCop Exercises the situation may change as we learn
Please note this threat is still under active investigation,
more or as our adversary responds to our actions. Talos will continue to actively monitor and
Mo⸰�ow
Support
analyzeCommunities
this situation for new developments and respond accordingly. As a result, new coverage
may be developed or existing coveragePE-Sig
adapted and/or modiŘed at a later date. For current
information, please refer to your Firepower Management Center or Snort.org.
About
Immunet

C A M PA I G N D E TA I L S
We observed an uptick in scanning of our internet facing honeypots starting shortly before 5am
MBR Filter
EST (9am UTC).
Blog
FIRST
LockyDump
FreeSentry
Flokibot Tools
Synful Knock Scanner
ROPMEMU
I N F R A S T R U C T U R E A N A LY S I S
Cisco Umbrella researchers Řrst observed requests for one of WannaCry's killswitch domains
(iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) starting at 07:24 UTC, then rising to a peak
of just over 1,400 nearly 10 hours later.
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
Software BACK

Email
Snort Community
& Web Reports
TraŘc Reputation
Microsoft
AMP
ClamAV
Threat
Community
Advisories
Naming Conventions
Reputation Center
The domain composition looks almostProject
Razorback
IP Blacklist
human AspisDownload
typed, with most characters falling into the top
and home rows of a keyboard.
AWBO
SpamCop
Exercises
Communication to this domain might be categorized as a kill switch domain due to its role in the
Mo⸰�ow
Support Communities
overall execution of the malware:
PE-Sig
About
Immunet
MBR Filter
Blog
FIRST
LockyDump
FreeSentry
The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out
Flokibot Tools
the infection. However if it succeeds, the subroutine exits. The domain is registered to a well
known sinkhole, effectively causing this sample
Synful to terminate
Knock Scanner its malicious activity.
ROPMEMU
The raw registration information re-enforces this as it was registered on 12 May 2017:
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
Software BACK
M A LWA R E A N A LY S I S
Email
Snort Community
& Web Reports
TraŘc Reputation
An initial Řle mssecsvc.exe drops and executes the Řle tasksche.exe. The kill switch domain is
then checked. Next, the service mssecsvc2.0
AMP
ClamAV isCommunity
Microsoft created.
Threat
Advisories
Naming This service executes the Řle
Conventions
Reputation Center
mssecsvc.exe with a different entry point than the initial execution. This second execution
Razorback
IP
Project
Blacklist
checks the IP address of the infected machine Aspis
andDownload
attempts to connect to port 445 TCP of each
IP address in the same subnet. When the malware successfully connects to a machine, a
AWBO
SpamCopExercises
connection is initiated and data is transferred. We believe this network traŘc is an exploit
payload. It has been widely reported this is exploiting recently disclosed vulnerabilities addressed
Mo⸰�ow
Support Communities
by Microsoft in bulletin MS17-010. We currently don't have a complete understanding of the SMB
traŘc, and exactly what conditions need to be present for it to spread using this method.
PE-Sig
About
Immunet
The Řle tasksche.exe checks for disk drives, including network shares and removable storage
devices mapped to a letter, such as 'C:/', 'D:/' etc. The malware then checks for Řles with a Řle
extension as listed in the appendix and encrypts these using 2048-bit RSA encryption. While the
Řles are being encrypted, the malware MBRcreates a new Řle directory 'Tor/' into which it drops
Filter
Blog
tor.exe and nine dll Řles used by tor.exe. Additionally, it drops two further Řles: taskdl.exe &
FIRST
taskse.exe. The former deletes temporary Řles while the latter launches @wanadecryptor@.exe
to display the ransom note on the desktop to the end user. The @wanadecryptor@.exe is not in
LockyDump
and of itself the ransomware, only the ransom note. The encryption is performed in the
background by tasksche.exe.
FreeSentry
The tor.exe Řle is executed by @wanadecryptor@.exe.

Flokibot Tools This newly executed process initiates
network connections to Tor nodes. This allows WannaCry to attempt to preserve anonymity by
proxying their traŘc through the Tor network.

Typical of other ransomware variants, the malware also deletes any shadow copies on the
victim's machine in order to make recovery more diŘcult. It achieve this by using WMIC.exe,
ROPMEMU
vssadmin.exe and cmd.exe.
WannaCry uses various methods to attempt to aid its execution by leveraging both attrib.exe to
modify the +h ⸰�ag (hide) and also icacls.exe to allow full access rights for all users, "icacls .
modify the +h ⸰�ag (hide) and also icacls.exe to allow full access rights for all users, "icacls .
/grant Everyone:F /T /C /Q"
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
The malware has been designed as a modular service. It appears to us that the executable Řles
associated with the ransomware have been written by a different individual than whomever
Software
developed the service module. Potentially, thisBACK
means that the structure of this malware can be
used to deliver and run different malicious payloads.
Email
Snort Community
& Web Reports
TraŘc Reputation
After encryption is complete, the malware displays the following ransomware note. One
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
interesting aspect of this ransomware variant is that the ransom screen is actually an executable
Reputation Center
and not an image, HTA Řle, or text Řle.
Razorback
IP
Project
Blacklist
AspisDownload
AWBO
SpamCop
Exercises
Mo⸰�ow
Support Communities
PE-Sig
About
Immunet
MBR Filter
Blog
FIRST
LockyDump
FreeSentry
Flokibot Tools
ROPMEMU
Organisations should be aware that there is no obligation for criminals to supply decryption keys
following the payment of a ransom. Talos strongly urges anyone who has been compromised to
avoid paying the ransom if possible as paying the ransom directly funds development of these
malicious campaigns.
M I T I G AT I O N A N D P R E V E N T I O N
Organizations looking to mitigate the risk of becoming compromised should follow the following
recommendations:
Ensure all Windows-based systems are fully patched. At a very minimum, ensure
Microsoft bulletin MS17-010 has been applied.
In accordance with known best practices, any organization who has SMB publically
accessible via the internet (ports 139, 445) should immediately block inbound traŘc.
Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR
traŘc on network. Known TOR exit nodes are listed within the Security Intelligence feed of ASA
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
Firepower devices. Enabling this to be blacklisted will prevent outbound communications to TOR
networks.
Software BACK
In addition to the mitigations listed above, Talos strongly encourages organizations take the
following industry-standard
Vulnerability Information recommendedVulnerability
Email
Snort Community
& Web
best Reports
TraŘc Reputation
practices to prevent attacks and campaigns like
this and similar ones.
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
Reputation Center
Ensure your organization is running
IP an actively
Razorback
Project
Blacklist
Aspis supported operating system that
Download
receives security updates.
AWBO
SpamCop
Have effective patch management that Exercises
deploys security updates to endpoints and
other critical parts of your infrastructure in a timely manner.
Mo⸰�ow
Support Communities
Run anti-malware software on your system and ensure you regularly receive malware
signature updates.
PE-Sig
About Implement a disaster recovery plan that includes backing up and restoring data from
devices that are kept o跸�ine. Adversaries
Immunetfrequently target backup mechanisms to
limit the possibilities a user may be able to restore their Řles without paying the
Careersransom. Teslacrypt Decryption Tool
CO V E R A G E MBR Filter
Snort Rule: 42329-42332, 42340, 41978
Blog
FIRST
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest
LockyDump
rule pack available for purchase on Snort.org.
FreeSentry
Additional ways our customers can detect and block this threat are listed below.
Flokibot Tools
Advanced Malware Protection
Synful Knock Scanner (AMP) is ideally suited to prevent
the execution of the malware used
by these threat actors.
ROPMEMU
CWS or WSA web scanning
prevents access to malicious
websites and detects malware
used in these attacks.
The Network Security protection

of IPS and NGFW have up-to-date
signatures to detect malicious
network activity by threat actors.
AMP Threat Grid helps identify

malicious binaries and build
protection into all Cisco Security
products.
Umbrella prevents DNS resolution of the domains associated with malicious activity.
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
IoCs
Software BACK
File names
Email
Snort Community
& Web Reports
TraŘc Reputation
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
b.wnry
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622
Reputation Center
c.wnry
Razorback
IP
Project
Blacklist
Aspis
Download
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c r.wnry
AWBO
SpamCop Exercises
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b s.wnry
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
Mo⸰�ow
taskdl.exe
Support Communities
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
PE-Sig
taskse.exe
About
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
Immunet
t.wnry
Careersb9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
Teslacrypt Decryption Tool
u.wnry
MBR Filter
Blog
CnC IPs FIRST
188[.]166[.]23[.]127:443
LockyDump
193[.]23[.]244[.]244:443
2[.]3[.]69[.]209:9001 FreeSentry
146[.]0[.]32[.]144:9001
50[.]7[.]161[.]218:9001 Flokibot Tools
217.79.179[.]77
128.31.0[.]39
213.61.66[.]116 Cisco Smart Install Scanner
212.47.232[.]237
ROPMEMU
81.30.158[.]223
79.172.193[.]32
89.45.235[.]21
38.229.72[.]16
188.138.33[.]220
Observed hash values

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
SoftwareCommunities
Vulnerability
Reputation
Support Center
Information
85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
Software
a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
BACK
b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
Vulnerability Information
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
Reputation Center
7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
Razorback
IP
Project
Blacklist
AspisDownload
a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
AWBO
SpamCopExercises
fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
Mo⸰�ow
Support Communities
b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
PE-Sig
About 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
Immunet
Appendix MBR Filter

Blog
List of Řle names encrypted by the ransomware:
FIRST
LockyDump
.der, .pfx, .key, .crt, .csr, FreeSentry

.p12, .pem, .odt, .sxw, .stw, .3ds, .max,
.3dm, .ods, .sxc, .stc, .dif, .slk, .wb2, .odp, .sxd, .std, .sxm, .sqlite3,
.sqlitedb, .sql, .accdb, .mdb, .dbf,Tools
Flokibot .odb, .mdf, .ldf, .cpp, .pas, .asm,
.cmd, .bat, .vbs, .sch, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav,
.swf, .fla, .wmv, .mpg, .vob, Synful
.mpeg, .asf,
Knock .avi, .mov, .mp4, .mkv, .flv,
Scanner
.wma, .mid, .m3u, .m4u, .svg, .psd, .tiff, .tif, .raw, .gif, .png, .bmp,
.jpg, .jpeg, .iso, .backup, .zip,
Cisco .rar, .tgz,Scanner
Smart Install .tar, .bak, .ARC, .vmdk,
.vdi, .sldm, .sldx, .sti, .sxi, .dwg, .pdf, .wk1, .wks, .rtf, .csv, .txt,
.msg, .pst, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx,
ROPMEMU
.xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotm, .dot, .docm,
.docx, .doc,
P O S T E D B Y A L E X A N D E R C H I U AT 6 : 0 9 P M
L A B E L S : C O V E R A G E , M A LWA R E R E S E A R C H , M S 1 7- 0 1 0 , R A N S O M WA R E
SHARE THIS POST
43 COMMENTS:
LESLIE ADAMS MAY 12,

http://blog.talosintelligence.com/2017/05/wannacry.html 2017 AT 6:32 PM 8/19
LESLIE ADAMS MAY 12, 2017 AT 6:32 PM
Cracking bit of work guys :) Support Communities

Software
Vulnerability
Reputation Center
Information
Reply
Software BACK
SIMPLE#CSS Vulnerability
Email
Snort
MAY 12, 2017 AT 6:38 Community
& Web Reports
PM TraŘc Reputation
Microsoft
AMP
ClamAV
Threat
Community
Advisories
Naming Conventions
Are you guys aware of Meraki's coverage of this threat?
Reputation Center
Project
Razorback
IP Blacklist
AspisDownload
Reply
Library SpamCop
Daemonlogger
AWBO Exercises
Replies
Mo⸰�ow
Support Communities
CRAIG WILLIAMS MAY 13, 2017 AT 8:48 AM
PE-Sig
About Meraki's security devices run snort, AMP, and Umbrella, the coverage is outlined
above. Immunet

Reply
MBR Filter
Blog
FIRST
LockyDump
MAIQUEL MAY 12, 2017 AT 6:44 PM
FreeSentry
Nice post.
Tks. Flokibot Tools
Reply Synful Knock Scanner
UNKNOWN MAY 12, 2017 AT 7:34 PM

ROPMEMU
Wunderbar !
Reply
UNKNOWN MAY 12, 2017 AT 7:34 PM
Wunderbar !
Reply
PABLO SEBASTIÁN VELAZCO MAY 12, 2017 AT 7:50 PM
Excellent post, thank you.

Excellent post, thank you.
Reply Support Communities

Software
Vulnerability
Reputation Center
Information
Software BACK
ABOOD NOUR MAY 12, 2017 AT 7:52 PM
BestInformation
Vulnerability analysis so far! Thanks! Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation
Reply ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Project
Razorback
IP Blacklist
AspisDownload
Library CERBDOG MAY 12, 2017 AT 8:35SpamCop

PM
Daemonlogger
AWBO Exercises
That was an interesting read. Thanks

Mo⸰�owfor digging into it and posting for us.
Support Communities
Reply PE-Sig
About
Immunet
K P MAY 12, 2017 AT 9:07 PM
Well done!
MBR Filter
Blog
Reply
FIRST
LockyDump
MARIONFSU MAY 12, 2017 AT 9:32 PM
FreeSentry
Always articulate!
Flokibot Tools
Reply
ADAM ZUBER MAY 12, 2017 AT Cisco

10:50 Smart
PM Install Scanner
ROPMEMU
Great work!
Reply
ALEJO MAY 12, 2017 AT 11:18 PM
Excelent reverse engineering work
Reply
AGUNLETI ALIU MAY 13, 2017 AT 12:50 AM
Excellent analysis. Thumbs up guys.
Reply
Support Communities
Software
Vulnerability
Reputation Center
Information
TIM WOOLFORD MAY 13, 2017 AT 1:39 AM
Software BACK
Can you elaborate why a CCC ToR authority network address is in the CnC list above?
(second
Vulnerability entry, 193.23.244.244)Snort
Information Vulnerability
Email Community
& Web Reports
TraŘc Reputation
Reply ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Replies Project
Razorback
IP Blacklist
AspisDownload
Library
WARREN MERCER MAYSpamCop
Daemonlogger
AWBO Exercises
13, 2017 AT 2:59 PM
Mo⸰�ow
Support Communities
Hi Tim,
PE-Sig
The CCC Tor authority is indeed a CCC node, however, it is part of the indicators
About
associated with our samples.
ImmunetThe Tor nodes are all Tor nodes used throughout
our analysis. It's also fair to say these could be speciŘc to us as, I am sure you
Careers know, the Tor nodes areTeslacrypt Decryption
not something a userTool
can conŘgure.
MBR Filter
Blog In short - we publish all related IOCs. More information is good information.
FIRST
Reply
LockyDump
FreeSentry
Flokibot Tools
JT TWOTEDS MAY 13, 2017 AT 2:00 AM
Thanks for a great article.
What are the attack vectors? The guardian said one vector was email. Is ESA providing
ROPMEMU
any protection?
Reply
Replies
A likely point of confusion was the Jaff ransomeware, another new type of
ransomware (so 2 new types in 2 days) that did spread via email, used the
same executable name. It’s possible this lead some folks to the wrong
conclusion. Many sites are including pictures of emails that are clearly Jaff. It’s
also possible we’ve not seen everything yet but only time will tell. As we state in
the blog it’s an ongoing investigation.
Reply
Support Communities
Software
Vulnerability
Reputation Center
Information
Software BACK
JAMES ARNOLD WAITHE MAY 13, 2017 AT 2:10 AM

Vulnerability Information Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation
Amazing analysis, Thanks
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Reply
Project
Razorback
IP Blacklist
AspisDownload
AWBO
SpamCop
Exercises
MOONSPIRIT MAY 13, 2017 AT 2:51 AM
Mo⸰�ow
Support Communities
Would the malware use the proxy server conŘgured on the host to check the "kill switch"
website? or would it need directPE-Sig
access for name resolution + a HTTP GET request?
About
Reply Immunet

Replies
MBR Filter
Blog CRAIG WILLIAMS MAY 13, 2017 AT 10:12 AM
FIRST
No. If a proxy is required this will effectively break the current kill switch.
LockyDump
Reply
FreeSentry
Flokibot Tools

BF MAY 13, 2017 AT 3:01 AM
Keep posting, good job.
ROPMEMU
Reply
JORIBEIR MAY 13, 2017 AT 3:34 AM
Great post! Kudos to you!
Reply
LUCIANO PATRÃO MAY 13, 2017 AT 4:22 AM
Great post, great work.
Reply
Reply
Support Communities
Software
Vulnerability
Reputation Center
Information
BOBW MAY 13, 2017 AT 4:40 AM
SoftwareThe registering of the domain to kill the

BACK
spread of the virus was the work of someone at a
Malware company - see
Vulnerability
Email
Snort Community
& Web Reports
TraŘc Reputation
https://www.theguardian.com/technology/2017/may/13/accidental-hero-Řnds-kill-
switch-to-stop-spread-of-ransomware-cyber-attack
Microsoft
AMP
ClamAVThreat
Community
Advisories
Naming Conventions
Reputation Center
Reply
Razorback
IP
Project
Blacklist
AspisDownload
AWBO
SpamCop
Exercises
PACKET84 MAY 13, 2017 AT 4:46 AM
Mo⸰�ow
Support Communities
Great effort, good work getting to the weeds of this.
PE-Sig
About Reply
Immunet
Careers
RON SOM MAY 13, 2017 AT 4:56Teslacrypt
AM Decryption Tool
MBR Filter
Blog Great post, excellent work!!
FIRST
Reply
LockyDump
UNKNOWN MAY 13, 2017 AT 6:21 AM

FreeSentry
Flokibot
Great analysis but you may want Tools the kill switch domain name. If not, lots of
to withdraw
people reading your page may be tempted to query it, polluting all the maps that are
keeping track of the infection ...Synful Knock
just my 0.5 Scanner

Reply
ROPMEMU
Replies
Thanks but we want it in there so people understand what to allow.
Reply
JOSEPH DONOVAN MAY 13, 2017 AT 7:05 AM
Bravo!
Reply
Support Communities
Software
Vulnerability
Reputation Center
Information
HERMES ROMERO MAY 13, 2017 AT 7:13 AM
Software BACK
good job guys!
Vulnerability
Email & Web Reports
TraŘc Reputation
Reply
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
DIMITRIOS STERGIOU MAY 13, Project
Razorback
IP Blacklist
2017 ATAspisDownload
8:43 AM
AWBO
SpamCopExercises
This was extremely informative, thanks for the write-up
Mo⸰�ow
Support Reply
Communities
PE-Sig
About
MUSSIPEDIA MAY 13, 2017 AT 9:15 AM
Immunet
Careers Great Analysis Teslacrypt Decryption Tool
Reply MBR Filter

Blog
FIRST
ING. ORLANDO HERNANDEZ CRUZ MAY 13, 2017 AT 11:41 AM
LockyDump
Good job guys, great post. Congrats.

FreeSentry
Reply Flokibot Tools

BTELLEZ MAY 13, 2017 AT 11:47 AM
Umbrella is currently blocking the kill switch. Should it be allowed?
ROPMEMU
Reply
Replies
No it's designed so the killswitch still functions.
Reply
EDIN SULJEVIC MAY 13, 2017 AT 12:32 PM

EDIN SULJEVIC MAY 13, 2017 AT 12:32 PM
Hi,
Support Communities
Software
Vulnerability
Reputation Center
Information
Any reason why WSA is blocking kill switch domain?
Software BACK
Edin
Vulnerability
Email & Web Reports
TraŘc Reputation
Reply
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Replies
Project
Razorback
IP Blacklist
AspisDownload
CRAIG WILLIAMS MAY 13, 2017 AT 1:50 PM
AWBO
SpamCopExercises
The WSA operates as a proxy so it isn't going to work anyway, the call out will
not use proxies. Mo⸰�ow
Support Communities
PE-Sig
About Reply
Immunet
MBR Filter
Blog KRYPTON MAY 13, 2017 AT 2:09 PM
FIRST
Workaround for proxy networks (which have cisco routers) - adjust - DHCP scope to point
to GW for DNS: LockyDump
FreeSentry
ip dns server
ip name-server Flokibot Tools
ip dns primary ns.iuquerfsodp9ifjaposdfjhgosurijfaewrwergwea.com soa
admin.iuquerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Synful Knock Scanner 21600 900 7776000 86400
86400
ip host www.iuquerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
ROPMEMU
Reply
0X34H MAY 13, 2017 AT 2:31 PM
Awesome analysis, thank you
Reply
ALICE MAY 13, 2017 AT 2:41 PM
Every single one of the IP addresses listed as cnc servers are actually just tor relays with
the exception of one typo and two IP addresses for torproject.org for downloading tor.
Reply
Reply
Replies Support Communities

Software
Vulnerability
Reputation Center
Information
WARREN MERCER MAY 13, 2017 AT 3:10 PM
Software BACK
Hi Alice,
Did you not bring Bob toSnort
Vulnerability Information backCommunity
&up your
Vulnerability
Email Web story?
Reports
TraŘc :)
Reputation
Seriously though - the malware used Tor nodes to proxy their traŘc. It's entirely
Microsoft
AMP
ClamAV
fair to say these may never Threat
beCommunity
Advisories
Naming
used Conventionswith this malware again,
in conjunction
Reputation Center
sure. In light of the network indicators we discover we like to publish everything.
Razorback
IP
Project
Blacklist
Aspis
Download
The sanity of the blog is for us to decide ;)
Library SpamCop
Daemonlogger
AWBO Exercises
Reply
Mo⸰�ow
Support Communities
PE-Sig
About
Immunet
SENSEINYC MAY 13, 2017 AT 4:12 PM
Excellent work. Thank you.
MBR Filter
Blog
Reply
FIRST
LockyDump
Enter your comment... FreeSentry
Flokibot Tools
Comment as: Synful Knock Scanner

Fabio Alexandre (Google) Sign out

Publish Preview Notify me
ROPMEMU
POST A COMMENT
HOME OLDER POST
S U B S C R I B E T O : P O S T C O M M E N T S ( AT O M)
SUBSCRIBE TO OUR FEED

Support Communities
Software
Vulnerability
Reputation Center
Information
Posts
Software BACK
Comments

Vulnerability
Email & Web Reports
TraŘc Reputation
Subscribe via Email
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Project
Razorback
IP Blacklist
AspisDownload
BLOG ARCHIVE
Library SpamCop
Daemonlogger
AWBO Exercises
▼ 2 0 1 7 (67)
▼ M A Y (10) Mo⸰�ow
Support Communities
Player 3 Has Entered the Game: Say Hello to 'Wanna...
Threat Round-up for May 05 - May 12 PE-Sig
AboutJaff Ransomware: Player 2 Has Entered The Game
Immunet
Vulnerability Spotlight: Hangul Word Processor Rem...
Microsoft Patch Tuesday - May 2017
Vulnerability Spotlight: WolfSSL library X.509 Cer...
Vulnerability Spotlight: Power Software PowerISO I...
MBR Filter
Blog Vulnerability Spotlight: AntennaHouse DMC Library ...
FIRST
Gmail Worm Requiring You To Give It A Push And App...
KONNI: A Malware Under The Radar For Years
LockyDump
► A P R I L (17)
► M A R C H (17) FreeSentry

► F E B R U A R Y (12)
► J A N U A R Y (11) Flokibot Tools
► 2 0 1 6 (98) Synful Knock Scanner

► 2 0 1 5 (62)
► 2 0 1 4 (67) Cisco Smart Install Scanner
► 2 0 1 3 (30)
ROPMEMU
► 2 0 1 2 (53)
► 2 0 1 1 (23)
► 2 0 1 0 (93)
► 2 0 0 9 (146)
► 2 0 0 8 (37)
RECOMMENDED BLOGS
SNORT BLOG
WannaCry Snort coverage
CISCO BLOG
Player 3 Has Entered the Game: Say Hello to ‘WannaCry’
CLAMAV® BLOG
End-of-life announcement for clamav in stable and oldstable
Support Communities
Software
Vulnerability
Reputation Center
Information
Software BACK

Vulnerability
Email & Web Reports
TraŘc Reputation
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Reputation Center
Project
Razorback
IP Blacklist
Aspis
Software
Download
Library Reputation Center

Daemonlogger
AWBO
SpamCopExercises
Mo⸰�ow
Library
Support Communities
Support Communities
PE-Sig
Microsoft Advisory Snort Rules
About
ImmunetDownload
IP Blacklist
AWBO Exercises
About Talos
MBRCareers
Filter
Blog
Blog
FIRST
LockyDump
CONNECT WITH US
FreeSentry
Flokibot Tools

© 2017 Cisco Systems, Inc. and/or its affiliates. All rights reserved. View our Privacy Policy here.
ROPMEMU
Support Communities
Software
Vulnerability
Reputation Center
Information
BACK
Snort Community
Vulnerability
Email & Web Reports
TraŘc Reputation
ClamAV
Microsoft
AMP Threat
Community
Advisories
Naming Conventions
Project
Razorback
IP Blacklist
AspisDownload
SpamCop
Daemonlogger
AWBO Exercises
Mo⸰�ow
PE-Sig
Immunet
Teslacrypt Decryption Tool
MBR Filter
FIRST
LockyDump
FreeSentry
Flokibot Tools
ROPMEMU

Cisco's Talos Intelligence Group Blog - Player 3 Has Entered The Game - Say Hello To 'WannaCry'

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco's Talos Intelligence Group Blog - Player 3 Has Entered The Game - Say Hello To 'WannaCry'

Uploaded by

Copyright:

Available Formats

2017­5­13 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'

Vulnerability Information Vulnerability

Careers Teslacrypt Decryption Tool

A major ransomware attack has affected manyTools

Cisco Smart Install Scanner

Organizations should ensure that devices

Careers Teslacrypt Decryption Tool

Synful Knock Scanner

Cisco Smart Install Scanner

Vulnerability Information Vulnerability

Careers Teslacrypt Decryption Tool

Cisco Smart Install Scanner

The tor.exe Řle is executed by @wanadecryptor@.exe.

Cisco Smart Install Scanner

Careers Teslacrypt Decryption Tool

Synful Knock Scanner

Cisco Smart Install Scanner

The Network Security protection

AMP Threat Grid helps identify

Observed hash values

Careers Teslacrypt Decryption Tool

Appendix MBR Filter

.der, .pfx, .key, .crt, .csr, FreeSentry

SHARE THIS POST

LESLIE ADAMS MAY 12,

LESLIE ADAMS MAY 12, 2017 AT 6:32 PM

Cracking bit of work guys :) Support Communities

Careers Teslacrypt Decryption Tool

Reply Synful Knock Scanner

Cisco Smart Install Scanner

UNKNOWN MAY 12, 2017 AT 7:34 PM

UNKNOWN MAY 12, 2017 AT 7:34 PM

PABLO SEBASTIÁN VELAZCO MAY 12, 2017 AT 7:50 PM

Excellent post, thank you.

Reply Support Communities

Library CERBDOG MAY 12, 2017 AT 8:35SpamCop

That was an interesting read. Thanks

ADAM ZUBER MAY 12, 2017 AT Cisco

ALEJO MAY 12, 2017 AT 11:18 PM

Excelent reverse engineering work

AGUNLETI ALIU MAY 13, 2017 AT 12:50 AM

Excellent analysis. Thumbs up guys.

CRAIG WILLIAMS MAY 13, 2017 AT 9:55 AM

JAMES ARNOLD WAITHE MAY 13, 2017 AT 2:10 AM

Careers Teslacrypt Decryption Tool

Synful Knock Scanner

JORIBEIR MAY 13, 2017 AT 3:34 AM

Great post! Kudos to you!

LUCIANO PATRÃO MAY 13, 2017 AT 4:22 AM

Great post, great work.

SoftwareThe registering of the domain to kill the

UNKNOWN MAY 13, 2017 AT 6:21 AM

Cisco Smart Install Scanner

CRAIG WILLIAMS MAY 13, 2017 AT 11:49 AM

Thanks but we want it in there so people understand what to allow.

JOSEPH DONOVAN MAY 13, 2017 AT 7:05 AM

Careers Great Analysis Teslacrypt Decryption Tool

Reply MBR Filter

Good job guys, great post. Congrats.

Reply Flokibot Tools

Synful Knock Scanner

CRAIG WILLIAMS MAY 13, 2017 AT 11:48 AM

No it's designed so the killswitch still functions.

2017513 Cisco's Talos Intelligence Group Blog: Player 3 Has Entered the Game: Say Hello to 'WannaCry'