waysms17-010

ms17-010 时间:2021-05-19 阅读:()

#WannaCryReportContentExecutiveReport2Characteristics3AttackDescription51.
1InfectionVectors51.
2InteractionsWithTheAffectedSystem51.
3DistributionProcess71.
3.
1ReplicationAcrossTheInternalNetwork81.
3.
2ReplicationAcrossTheInternet81.
3.
3EternalBlueExploit111.
4ComputerEncryptionProcess12Recommendations13AppendixA–RelatedFiles14AppendixB-CcListOfDecrypter16AppendixC-ListOfBitcoinPaymentAddresses17AppendixD-ListOfCommandLines18AppendixE-ListOfFiles19AppendixF-Persistence20AppendixG–MutexesCreatedTuringEncryption21AppendixH-ExtensionEncryptedByTheAnalyzedSample22#WannaCryReportPandaSecurityMay,15th2017ConfidentialInformation2EXECUTIVEREPORTThisdocumentcontainstheresultsofapreliminaryanalysisofthelarge-scalecyber-attackthathasaffectedseveralcountriesaroundtheworldwithvarioussamplesoftheWannaCryransomwarefamily.
Thisransomwareisdesignedtoencryptallfilesitfindsonthetargetcomputer'sharddrive,demandingaransomtodecryptthem.
Afterthepreliminaryanalysis,wecanconfirmthattheattacklaunchedonMay12usedmorethan700differentmalwarestrainsinordertoencryptfileswithvariousextensions.
ThismalwarevariantcontainscodedesignedtoexploitthevulnerabilitypatchedbyMicrosoftonMarch14,describedinsecuritybulletinMS17-010andknownasETERNALBLUE.
WannaCryscansboththeinternalandexternalnetworkoftargetorganizations,connectingtoport445(SMB)andsearchingforunpatchedcomputersinordertoinfectthem(similarlytoacomputerworm).
Todothis,itusesavariantoftheDOUBLEPULSARbackdoor.
Uptothispoint,everytargetedcomputerhasbeenattackedbyusingtheexploitETERNALBLUE,thatis,theinfectioncomesfromanothercomputeronthesamenetwork.
Uptothispoint,noemailhasbeenfoundsuggestingthattheattackmayoriginatefromamassivespamcampaign.
3CHARACTERISTICSThesearethemaincomponentsoftheattack:FilewithhashDB349B97C37D22F5EA1D1841E3C89EB4.
IthasthefunctionalityofanetworkwormandleveragestheETERNALBLUEWindowsvulnerability.
Filewithhash84c82835a5d21bbcf75a61706d8ab549.
Thisfileisdesignedtoencrypttheuser'sfiles.
Belowwelistsomeofthestaticpropertiesofthenetworkwormcomponent:MD5DB349B97C37D22F5EA1D1841E3C89EB4SHA1e889544aff85ffaf8b0d0da705105dee7c97fe26Size3.
723.
264bytesInternaldate20/11/201010:03CompilerMicrosoftVisualC++6.
0Themaliciouscodeanalyzeddoesnotuseobfuscationalgorithms,orimplementvirtualmachinedetectionordebuggerdetectiontechniques.
Belowwelistthesectionsitcontains:NameSize(bytes)Size%Entropy.
text36.
8640,996,25.
rdata4.
0960,115,1.
data159.
7444,297,97.
rsrc3.
518.
46494,584Anditsresources:NameTypeSizeMD5RPE32bits3.
514.
36884c82835a5d21bbcf75a61706d8ab549RT_VERSIONMetadata9441ebdc36976dd611e1a9e221a88e6858eBelowwelistthepropertiesofthePEfilefoundintheresourcesoftheanalyzedsample:MD584c82835a5d21bbcf75a61706d8ab549Size3.
514.
368bytesInternaldate20/11/201010:05CompilerMicrosoftVisualC++6.
0DetailsArchivoZIPconcontrasea"WNcry@2ol7"Thesecondfileisapassword-protectedself-extractingZIParchive(password:"WNcry@2ol7"),containingthefollowingfiles:NameSize(bytes)Modifiedmsg1.
329.
6572017-05-11b.
wnry1.
440.
0542017-05-11c.
wnry7802017-05-11r.
wnry8642017-05-09s.
wnry3.
038.
2862017-05-11t.
wnry65.
8162017-05-11taskdl.
exe20.
4802017-05-11taskse.
exe20.
4802017-05-11u.
wnry245.
7602017-05-11The'msg'folderoftheZIPfilecontainsthefollowingfiles.
Thesefilescontainthetextstrings(invariouslanguages)oftheuserinterfaceusedtodemandthepayment:m_bulgarian.
wnrym_chinese(simplified).
wnrym_chinese(traditional).
wnrym_croatian.
wnrym_czech.
wnrym_danish.
wnrym_dutch.
wnrym_english.
wnrym_filipino.
wnrym_finnish.
wnrym_french.
wnrym_german.
wnrym_greek.
wnrym_indonesian.
wnrym_italian.
wnrym_japanese.
wnrym_korean.
wnrym_latvian.
wnrym_norwegian.
wnrym_polish.
wnrym_portuguese.
wnrym_romanian.
wnrym_russian.
wnrym_slovak.
wnrym_spanish.
wnrym_swedish.
wnrym_turkish.
wnrym_vietnamese.
wnry5ATTACKDESCRIPTION1.
1.
InfectionvectorsUptothispoint,allcasesanalyzedshowthefollowingbehavior:ThemaliciouscodegetsrunonthetargetcomputerremotelybymeansoftheETERNALBLUEexploitandamodificationoftheDOUBLEPULSARbackdoor.
Thisway,WannaCrymanagestoinjectcodeintotheoperatingsystem'sLSASSprocess.
ETERNALBLUEtakesadvantageoftheSMBvulnerabilityaddressedbyMicrosoftinsecuritybulletinMS17-010tospreadacrosstheinternalnetwork,connectingtoportTCP445ofunpatchedsystems.
1.
2.
InteractionswiththeaffectedsystemThefirstcomponenttorunisthenetworkworm,whichattemptstoconnecttothefollowingURL:http://www.
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.
comIfthedomainisactive,thewormdoesn'ttakeanyadditionalactionsandstopsrunning.
However,ifitcan'testablishaconnection,itcontinuestorun,registersitselfasaserviceonthetargetcomputerandlaunchestheservice.
6Theservicedescriptionisasfollows:ServiceNamemssecsvc2.
0DescriptionMicrosoftSecurityCenter(2.
0)ServicePath%WINDIR%\mssecsvc.
exeCommandLine%s-msecurityInadditiontoinstallingitselfasaservice,WannaCryextractsthe'R'resource,whichcorrespondstotheransomware'sPEexecutablefilethatencryptstheuser'sdata(MD5:84c82835a5d21bbcf75a61706d8ab549),andcopiesitto"C:\WINDOWS\taskche.
exe".
Then,itrunsitwiththefollowingparameters:Commandline:C:\WINDOWS\tasksche.
exe/iNOTE:Shouldfile"C:\WINDOWS\taskche.
exe"exist,itmovesittoC:\WINDOWS\qeriuwjhrf.
Thisisprobablydonetosupportmultipleinfectionsandavoidproblemscreating'taskche.
exe'.
Finally,itcreatesthefollowingentryintheWindowsregistrytomakesureitrunseverytimethecomputerisrestartedbymeansofthefollowingcommand:reg.
exeregaddHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run/v"mzaiifkxcyb819"/tREG_SZ/d"\"C:\WINDOWS\tasksche.
exe\""/fNOTE:Thevaluenameisgeneratedrandomly.
Oncetheransomwarecomponent(tasksche.
exe)isrun,itcopiesitselftoafolderwitharandomnameintheCOMMON_APPDATAdirectoryoftheaffectedcomputer.
Itthentriestogomemorypersistentbyaddingitselftothecomputer'sautorunfeature:reg.
exeaddHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run/v"RANDOM_CHARS"/tREG_SZ/d'\'C:\ProgramData\FOLDER\tasksche.
exe\''/fNext,theransomwaretakesthefollowingactions:UsesWindows'"icacls"commandtohavefullaccesstoallfilesonthetargetsystem:icacls.
/grantEveryone:F/T/C/QDeletesallbackupcopies(shadowcopies)itfindsonthesystem,inthefollowingtwoways:vssadmin.
exevssadmindeleteshadows/all/quietWMIC.
exewmicshadowcopydeletePreventsthecomputerfrombeingbootedinSafeMode:bcdedit.
exebcdedit/set{default}bootstatuspolicyignoreallfailuresbcdedit.
exebcdedit/set{default}recoveryenablednoDeletesallbackupcatalogs:wbadmin.
exewbadmindeletecatalog–quietCreatesanentryintheWindowsregistrypointingtothefolderthatcontainstheransomware:[HKEY_CURRENT_USER\Software\WanaCrypt0r]HidestherecyclebinusingtheATTRIBcommand:attrib+h+sc:\$RECYCLEUsingcmdandtheechocommand,itcreatesaVBSscripttogeneratea.
lnkfilepointingtothefiledecrypter:SETow=WScript.
CreateObject("WScript.
Shell")SETom=ow.
CreateShortcut("C:\@WanaDecryptor@.
exe.
lnk")om.
TargetPath="C:\@WanaDecryptor@.
exe"om.
SaveFinally,WannaCryattemptstokillmanydatabaseprocessesinordertobeabletoaccessandencryptdatabasefiles:'taskkill.
exe/f/immysqld.
exe''taskkill.
exe/f/imsqlwriter.
exe''taskkill.
exe/f/imsqlserver.
exe''taskkill.
exe/f/imMSExchange*''taskkill.
exe/f/imMicrosoft.
Exchange.
*'71.
3.
DistributionprocessThismalwarehaswormcapabilities,meaningthatittriestospreadacrossthenetwork.
Todothat,ittakesadvantageoftheEternalBlue(MS17-010)vulnerabilityinordertospreadtoallunpatchedcomputers.
Itisworthnotingthatthewormnotonlylooksfortargetcomputersonthelocalnetworkofthetargetmachine,butalsoscanspublicIPaddressesontheInternet.
Alloftheseactionsareperformedbytheservicethatthemalwareinstallsafterbeingrun(refertothe'Persistence'appendixformoreinformationabouttheservicename).
Oncetheservicehasbeeninstalledandrun,WannaCrycreatestwothreadstoreplicateitselftoothersystems.
Thefunctionthatlaunchesthesetwothreadsisasfollow:First,thefunctiontriestoobtaintheDLLstublibrarythatWannaCrywillusetogeneratethepayloadsenttothetargetedcomputers.
Themalwareisappendedtothisstublibrary.
ThisDLLcontainsafunctioncalled"PlayGame",whichextractsandrunstheresourceincludedintheDLLitself(themalware).
Thatis,callingthe'PlayGame'functioniswhattriggersthemachineinfection.
ThisDLLdoesn't'touch'theharddisk,meaningthatitisdirectlyinjectedintotheoperatingsystem'sLSASSprocessafterleveragingtheEternalBlueexploitonthecompromisedcomputer.
81.
3.
1.
ReplicationacrosstheinternalnetworkBelowyoucanseethefunctionusedtoreplicateWannaCryacrossthelocalnetworkoftheaffectedcomputer:Thisfunction'staskistoobtaininformationaboutthelocalnetworkadapter,andgenerateIPaddresswithinitsnetworkrangetolaunchthethreadthatwilllaunchtheexploitandinjectthepayloadintotheoperatingsystem'sLSASSprocess.
91.
3.
2.
ReplicationacrosstheInternetThefunctionusedtoreplicateWannaCryacrosstheInternetgeneratesrandomIPaddressranges:10Then,onceithasgeneratedtheIPaddresses,itlaunchestheexploitwiththefollowingcode:Asyoucansee,bothwhenWannaCryattemptstospreadacrosstheinternalnetworkandwhenittriestospreadacrosstheInternet,itcallstheRUN_ETERNAL_BLUEfunction,whosejobistodistributetheexploit.
111.
3.
3.
EternalBlueExploitAsmentionedpreviously,thismalwareusesthisexploitinordertopropagate.
Duringtheanalysis,weobservedhowitusesexactlythesamecodeasusedbytheNSAinitsimplants.
Theonlydifferenceisthatitdoesn'thavetouseDoublePulsar,astheaimissimplytoinjectitselfintotheLSASSprocess.
TheEternalBluepayloadcodeisunchanged:Whencomparedwithpreviousanalyses,youcanseehowtheopcodeisidentical.
Itmakesthesamecallstothefunctions,inordertoinjecttheDLLsentintheLSASSprocessandexecutethe"PlayGame"functionwithwhichtheinfectionprocessislaunchedagainfromthecompromisedcomputertoattackothernetworkcomputers.
Asitusesakernel-codeexploit(ring0),alloperationsperformedbythemalwarehaveSYSTEMprivileges.
121.
4.
ComputerencryptionprocessBeforeencryptingthecomputer,theransomwarechecksfortheexistenceofthreemutexes(below).
Ifanyofthemarepresentonthesystem,themalwaredoesn'tencryptanydata:'Global\MsWinZonesCacheCounterMutexA''Global\MsWinZonesCacheCounterMutexW''MsWinZonesCacheCounterMutexA'Itisimportanttoemphasizethatifthemutex'MsWinZonesCacheCounterMutexA'ispresent,whentheencryptioncomponentisrun,itwillcloseautomaticallywithouttakinganyfurtheraction.
Theransomwaregeneratesauniquerandomkeyforeachencryptedfile.
This128-bitkey,createdusingtheAESencryptionalgorithm,isencryptedwithapublicRSAkeyinacustomheaderthatthemalwareaddstoallencryptedfiles.
FilescanonlybedecryptedwiththeprivateRSAkeycorrespondingtothepublickeyusedtoencrypttheAESkeyusedinthefile.
TherandomAESkeyisgeneratedusingthe"CryptGenRandom"Windowsfunction,whichhasnoknownvulnerability,soitiscurrentlynotpossibletodevelopatooltodecryptthesefileswithoutknowingtheRSAprivatekeyusedfortheattack.
Theransomwarecreatesseveralthreadsandcarriesoutthefollowingactionsinordertoencryptfiles:Itreadstheoriginalfileandcopiesitaddingtheextension.
wnrytItcreatesarandom128-bitAESkeyItencryptsthecopiedfilewithAESencryptionItaddsaheaderwiththeAESkeyencryptedwiththepublicRSAkeycarriedbythemalwareItoverwritestheoriginalfilewiththeencryptedfileItdeletesthefilewiththe.
wnrytextensionFinally,itrenamestheoriginalfilewiththe.
wnryextensionForeverydirectorythattheransomwareencrypts,itgeneratesthesametwofilesinthedirectory:@Please_Read_Me@.
txt@WanaDecryptor@.
exe13RECOMMENDATIONSItisessentialtopatchvulnerablecomputerstopreventtheSMBvulnerabilityfrombeingexploited.
Itisadvisabletoensurethatthehttps://technet.
microsoft.
com/en-us/library/security/ms17-010.
aspxpatchisappliedacrossallsystemsonyournetwork,inordertoclosethedoortothesetypesofexploits.
BlockinboundconnectionstoSMBports(139,445)fromcomputersoutsidethenetwork.
Microsofthasextendedthelistofaffectedsystemsthathaveasecuritypatchavailable:WindowsXPWindows2003MicrosoftWindowsVistaSP2WindowsServer2008SP2yR2SP1Windows7Windows8.
1WindowsRT8.
1WindowsServer2012yR2Windows10WindowsServer2016Finally,carryoutaninternalauditofyournetworktoestablishwheretheattackbeganinordertosecurethisentrypointandothers.
14C4AD13742EEA06B83CDD327D456475F31008DC20ECD2FD51594E5822A4C48B2725ED37A6EAE58E6BE0E5BE25E08391AD1B3F45FDB84F5D28B115E46432B51445ADF84F1DAE003B6A6AD06A7E0A0DE4C24BEE4C92CF8C724C3F8D620C596BEF0E8182D9CEE031492868AA14AD4C5448711176B58D48FA14BA51CC355F0D97E9EEE63AC863C125491FD7F0156690A5AD491244A500A542A4D711BEC19E256D3EA485C8AA082AF064C2E6B4AA05C3E4198C5C3678CA08BFAE4FA111353FDAF1A908A6E1CE9E133D986123482294AD45D688A14392CDC6A32BAEEB7EC676E31F4DDABC409BFD2B92E13B4A5C53CD38193E25D101458BF12DC1B6563FA702F9856305C8EE875F395D17175BA9534318F273AA9524E8A3BB88438878C9691EA0F038B3739B09535819998ED8BAA13B18759901508EEA03857853D18EBD1CD56D6039EC3F03A2A13B77689401769C129468A51DE511BAB670117D4B07FDBEAF8E499A0CC54C1B75241FC76D13A7C3407FD70E8B9507F6C5D7575F08FFFC14AD82B823C51AD05EF49CC178A9D68CCA76411FBC633E17CA056714EEC628960DBB091EEACC3ED057DCD93ACD9CBAE9B72AA2B69866121BDE34CE23204F92CA1D86A830F8977EEF74D99C3D42D3EC5B1C87F247981DBD8831FF2B1DE20CC89723CD2FFA1D4C72CCC5112B3B67F457089D9EA4AE6BEFCFFFFB5125D7DB2CB8571147D9D9396772E39278D10C996C4F34FD01299151C11A784CF720AC28F68CBCDBE10144D3823AFD873F976CCB46182B09FCE86128A2F54FB8F54CEA92245162E3E359A122DE6E3579165B8C1A2196D8B11997E6F430BCA0EA97155B22D383E80F506E6DD662723510BBFA3982F71D970B04783988BF67CA5FA76CE212FE63B025953C3AA38327931061EA3A9C0A4137B25BA8853E55841595FC3743045CE1921016306AD46EF8FAF81876B00F5F906D99A73074F826302123DDEE17B94467CA3DE7A180E27BA04C0BBF1E5C6C0AD79F25231500C470E46CC7704649BEE3CF62DC7C8EEF92BC45E1FA3B575919E2C891B91FFDAF293E3A41839339DFF5F6DB6D97DC850FD7E642181CCD6CECE831758A2E41C82329EB6AA8B6808355ACF28A7D9F023A22CB2F77CE115A9CB11089AF058BEE1F24965526CBA3DF81431C1DE14747259219E5E7090115FB44E59F734274C005671835E48E17CCA4BD754D3E333748F3057FF48BD61AABE3D8F709AA19A7081661F7AB6D042220A9F37E19C2D07C20D5C6556DA69A2459972439543FA562601E23DF4226D0BA545DF0B96E8295F3A5362BD76A8054CB648CBD354E727A10065DC4A3641E358AB4719E7AF138B5F1903CDE037EB8CFE05085B6EA60A50AC30E6E8C97547B567D28DE2129DC8E1BBCDF37C11BD2A3FEE22D2F867F539B080671234199AD9033EBBE044B20EE3DE811A070DB37A207A14ADEEBDD0C974A890E0119804AAA973F87EC08F9F8D7F752ABB83BA4D09C1B2983BB57017272DEC91A41762B7718ACF54F2CDCF85B139638BCE882FF486E75986FF9951F3B43C8275292AD72725E4EE52FEFDEDB065D747434C1A307EDBDA1EC03F1D8DBF07D84E5469D5F2D1C2F71B7909213A5E526146824D702E013EC63E69471734BB6C68ED59EFB7F9F324391503B4D9DB3040AF8618E0308C19953F330B506A13C6A20CD80D887FE2DEE3BC91D548EAE15B8BC050FFD41914CBA1A65AA2748A8633FC2AB910DF4B90EA1B3DB14485A33FD7F9EB90E34C3AF50F695403B1444B3377FFBECB460B1256FEA212D84BD2553AC818F1790E6D043FC3FA239F729666F1B67490F48AA26DA129CD78A3C6375F586A49FC12A4DE9328174F0C1095F70BC99454E79FB20F1042074EB9DF93ED60FB05E855118B68CDB8D7BB1825E68461D01FE4F3D8A335C725E3C7B6FA084316EFB8543C95769CA892AEE956229F1E0C25F06890A25C0F478FDD2CB009010C6FC28BBB2AE9188228691B7C9735FA3051376E790EA5E13342231E66DEC1805FFE69FDC338CF7EB061A74537261802D2274F695D3F9B864FF395E9F0583DFADA7FBC9156FCBBD4A03881E660D6D9853288BBDA0FAEAF26D845E7EB6D28937096BAA79383FAF1456507FA963C41A2ACEA7F2CC0D7F69552878B3D12385AFB83EC73C4DCF0BE87711C59415472D13EADDFE3E397BC61DB749B074FF5242D59D678C01B1F944DC9AC46AC0CFA63951E8C8E5A66CA3CD513668D1A748823F2C737367791A1F09C94DED82652E77C44278F8620D07B03F4E6DB9FBF0D019B95F1C0BD8834194C915762F16D93F5CCC37F943B62F468A4A0B0A6E6C15061C194566A233C9214D3D176A76F62456BBA85EE274AC7A8C36654F094AC63047F7BEAB493BFC730E9C86DFEB7861A5C5AA21FCF359D6A61E76D01AC0B6302E789FEFF71B9C23AFB77D4B57523D5310F01F3F8BFA0FDFE9AFD72E9AE09F9E0B75F8B13B80A2AF99FD990567869E9CF4039EDF73F039E896AD0D438F7D24C34C1F61E4B9D1A407CE2398A599842F7E1AAEAD13A076EFB0E9E4847B93C0486AA5CDFDE3D73F7B2CF5963737C5BCC5E2892023BF520032ED755A83D3969714D6FABFF5D15E9DFAF183DBB86BC429847E1D7870ADB9E96FA4F9C77D188859346FAD8E2BB4658DF73CCF4907B07AED96984D87958246DC77333B3B24A53FC975D1F4127A234816599AB60799BD3A1CDD4693E64AD142FDC004BEF582D9E167F093EC1B7689527CD4CC82923BB8E0D27372772441F3CA770FCA32AF3D25039F2E7A75AA2AC94149308A8F3D5D1780E52815D4217B57E2FACBEC0F9C72DA2BAD41A82554A7662FE9F7182311359587468700C56B8F4DADAPPENDIXA–RELATEDFILES15466CC6A5DEBF64A0CF90980916C2FA9F532DF50DEDDC8A9B82F30E6059E34C80FE9C079C1BB4520A90133138F2C061D6AC434FEED7AC7E2FACCF9E66ACE997879CFF2C57624361A0F0840C7624F94666C9A0882DE8189DC9B8272C36C5590EA792CC807FA1FF0936EF7BCD59C76B123BE6243D51E1534002755BA10C361B1DB35AB99FF7DE746BCC9B13D13ABF1F61D9D98C575B632B9AA5BF35FC36EB8BACF35ADF1FC8616233EB8BCACD126841A5E8EB87BBB7E22FF067D303B745599FB4B7638A6E2B85E11873F573EF9D0AA8ED1ADE69AB7D058BD7BA4243C130AA5498483C21810E3820AD2D3749BB2C5342669EC8C046A3C5633AE6F60F876B3EA74DE607D2FA1FC19396A14A235536EE3BBA1627C9E96211FB77ED73FA24B290F8EEDC5AFC535A9980BD8DD110F09199E8E117E19E0CFC694635856245CA8E1FE336C18C6713681FFB5FBB83FF9353D89DF48D623AFE21D3470FD52861D4F2A0865C2827F2D7C5F217FD61F8B455DE8B1F6157845FCF3E7EAB17A1B63832C187BC5142DD0925A4D16CD673AA06E3B15F8136CC9EBF1A2A96A1F13DC62A6B6ACB5FD3B846D140A0EB13582852B5F778BB20CF0E03601EBAB06ADCC05545AAF3CE59601DC4ADA07E9F750A2F9E3B5A592C3E8C4EA7C448789FEFCD319352B414CE0FA3BF6381B98EF2C1C7F1E1678F178274E87AA8365EF51AA4158197204A914BF2045F9C4301C9E49E9B767B2DAEFCF2E281348965AE4D1E2ECE0E0BF452CE558F8812D7CF8AE014540314A92281B0E92D7FA61B94CD23AE55C020B9DF900E5896DA8CC1426666EB3D9330E1820B3494451D9B653999EDCDE5D55BC03C135A44B514FDDF42E1E035F656FBDA255708DCEB51E2D4AE7DE6B8345C4024D762A2D5BAF7A33885029409955C34AE9D176C447EBC93903D26CA69E2717B1440E0E498543FC747EC325CE31E197538632F35303CF654458425117EC0EC9306146E5058859C78B67B7879F4C66D8F908A1AE26C46620F0F417FDFD64E0EC7EFCC13616FEC93CD938554E7D5807C0653D5B1AD8AD245C2AA1F73335722C85F85EE5B2E3BFF1406D759469E07466288E1BE034A5CE2B638C29D733523CB6CC3FF331021FBE7D5547F2BC30723E437C150C00538671B35803600607AB080736DD31859C02EAFF1884BB0DB7B5DEA5A5F7215CABE8F7155AFC69EE6BDAF30ED9EDC37D2274AD5F5D1C39F774F7B4257F0EC3A7329063FC39C27CB59DB5793FEBD7D20748FD2F589B279E5A2B3F31F8541EB38DAE80C4A34C84B700C7A304A9E8D2CB63687FE5D2415B4D42CF15E9ACD6E9DEE71F236EF0DEC37EB07CF2FD3CFC16B87624565796529C27AC2A321145CC8EA1A97F0A329D1391A68EFEDA07AD2F449E844D4E3383B85D27B7EDCD6FE5D6C55CF1AA09AB87C8BA70B7A60F9C13A3306FB3E54229862A16D26E44407A6CBB6C63AFE4914EFD135F94429CC043169462D34EDD14117DDD27660AB72BCD3CBCC4E9ADFB84F7BAEAAD46D2C27A42DC41564283E74FC7DC43D36F5B8EF2561A02B89CE62DE705458DD9929D18280A6309C3FC1A175E73EAF79F107A717F76F4F910AE9CB4DC529059431DAB68B11824153B4C975399DF0354FA05DAF549FEEE576BB4586D37BFA7F238621727CDE2817D62209726034ABD9D313D702666BB8EADCD60D0C3940C39228CD7A1B9D4B0FB02489102305A944D0B9580AAF34E9E37A64CF4313A20EAB6380E9CFA94806D89999FFFE5B1583B13DBE7E587A620BDBCD29B3FC20C5E0A5F2D81358D78A5427E04F3CFC8FFF9E4F8C32638F9235D038A0A001D5EA7F5C5DC4AE7D31ADCA26C6C830F6EA78ED68DE166BA7D730D66AC8154D503AF560EBB043CB9F38D2F801D57DBF714B60B55170DE0C0D859C69106E05931BEB5FC2B4AD4DB3BEE302BE6278964A8CB653BC7FCE5530DB349B97C37D22F5EA1D1841E3C89EB4246C2781B88F58BC6B0DA24EC71DD028181C3455DD325A2A6ECD971278B7D41C932D593C0DCE308F2C496F8318BFA4A97B968EBEA8D77C59AA553100D04CD8B4882D70B718FB0640FD8C57028EE34A1889347BA13DAB2940C83EA753F89EE3A49B97ECB5BA558FD0B64A5461CF75D4654DF48816B2563928D941B530A4CC090F93EBEC8B34A4894C34C54CCA5039C0895D52703011722DFF7A501884FECC0C73CEBDE4399C4413BC5CC647447093D251533146828B909C886B3316F4F73067C45318B32086E6D33DEFA4295B1DF07D222700C59EA6E1A803A835CC8C720C82CA8FF9C908DEA430CE349CC922CEE3B7DC05C37CC103AFB24036D75F87A021BECB54A116FF80DF6E6031059FC3036464DFB8A7B71BFBDE9901D20AB179E4DEAD582D1E3A2DF4F147F025C7349926EE88B091EBCD98CCF5135724672442214558511894418EC97703F5E52D9EE132FC3A905BEF35496FCBDBE841C82F4D1AB8B7C244EC4895F054266A22FA40364C46ECBDBEC0B7AFF4B107EDD5B92767211376511CFE70E37DFD11D68A0F558E687BE77FE16B903789E41697ECAB21BA6E14FA2BBE73E513A5D647269551B4850F0C74B82E8847A115AC0B9D49F5481E773CAD3D0156EDF6D8D35DEF2BF71F4D91A7DD22975D2600C0AD9FF21DFBFE09C831843A100A94944C3009877B73F19FCD4D52809503AF3B691E22149817EDB246EA7791FF81D72A277FF5A3D2E5A4777EB28B7B05A00C320754934782EC5DEC1D5C047692F88C128B460489D98672307D01CEA7C39ED6F52AAA31AE0301C591802DA24B269E032DEA2A1C6B7841BDFE5F54F26B3D072024C6A63C2BEFAAA965A610C6DF5B2B45A2BC04B92DDAFC5C12F3C8CFA657AAA19F66B1EAB6BEA9891213AE9CF116APPENDIXB-CCLISTOFDECRYPTERgx7ekbenv2riucmf.
onion57g7spgrzlojinas.
onionxxlvbrloxvriy2c5.
onion76jdd2ir2embyv47.
onioncwwnhwhlz52maqm7.
onion17APPENDIXC-LISTOFBITCOINPAYMENTADDRESSEShttps://blockchain.
info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMwhttps://blockchain.
info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLnhttps://blockchain.
info/es/address/1BANTZQqhs6HtMXSZyE2uzud5TJQMDEK3mhttps://blockchain.
info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb9418APPENDIXD-LISTOFCOMMANDLINESC:\WINDOWS\mssecsvc.
exeC:\WINDOWS\mssecsvc.
exe-msecurityC:\WINDOWS\tasksche.
exe/icmd.
exe/c"C:\ProgramData\dqzdvrnqkzci137\tasksche.
exe"C:\ProgramData\dqzdvrnqkzci137\tasksche.
exe@WanaDecryptor@.
exefi19APPENDIXE-LISTOFFILESMD5Filenamedb349b97c37d22f5ea1d1841e3c89eb4mssecsvc.
exe84c82835a5d21bbcf75a61706d8ab549tasksche.
exe7bf2b57f2a205768755c07f238fb32cc@WanaDecryptor@.
exe4fef5e34143e646dbf9907c4374276f5taskdl.
exe8495400f199ac77853c53b5a3f278f3etaskse.
exec17170262312f3be7027bc2ca825bf0cb.
wnryae08f79a0d800b82fcbe1b43cdbdbefcc.
wnry3e0020fc529b1c2a061016dd2469ba96r.
wnryad4c9de7c8c40813f200ba1c2fa33083s.
wnry5dcaac857e695a65f5c3ef1441a73a8ft.
wnry20APPENDIXF-PERSISTENCEService:Name:mssecsvc2.
0Description:"MicrosoftSecurityCenter(2.
0)Service"Registrykeycreated(autorun):HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\obsbeuqp321C:\WINDOWS\system32\tasksche.
exe\""/f21APENDICEG–MutexcreadosduranteelCifrado'Global\MsWinZonesCacheCounterMutexA''Global\MsWinZonesCacheCounterMutexW'22APPENDIXH-Extensionencryptedbytheanalyzedsample".
doc"".
docx"".
xls"".
xlsx"".
ppt"".
pptx"".
pst"".
ost"".
msg"".
eml"".
vsd"".
vsdx"".
txt"".
csv"".
rtf"".
123"".
wks"".
wk1"".
pdf"".
dwg"".
onetoc2"".
snt"".
jpeg"".
jpg"".
docb"".
docm"".
dot"".
dotm"".
dotx"".
xlsm"".
xlsb"".
xlw"".
xlt"".
xlm"".
xlc"".
xltx"".
xltm"".
pptm"".
pot"".
pps"".
ppsm"".
ppsx"".
ppam"".
potx"".
potm"".
edb"".
hwp"".
602"".
sxi"".
sti"".
sldx"".
sldm"".
sldm"".
vdi"".
vmdk"".
vmx"".
gpg"".
aes"".
ARC"".
PAQ"".
bz2"".
tbk"".
bak"".
tar"".
tgz"".
gz"".
7z"".
rar"".
zip"".
backup"".
iso"".
vcd"".
bmp"".
png"".
gif"".
raw"".
cgm"".
tif"".
tiff"".
nef"".
psd"".
ai"".
svg"".
djvu"".
m4u"".
m3u"".
mid"".
wma"".
flv"".
3g2"".
mkv"".
3gp"".
mp4"".
mov"".
avi"".
asf"".
mpeg"".
vob"".
mpg"".
wmv"".
fla"".
swf"".
wav"".
mp3"".
sh"".
class"".
jar"".
java"".
rb"".
asp"".
php"".
jsp"".
brd"".
sch"".
dch"".
dip"".
pl"".
vb"".
vbs"".
ps1"".
bat"".
cmd"".
js"".
asm"".
h"".
pas"".
cpp"".
c"".
cs"".
suo"".
sln"".
ldf"".
mdf"".
ibd"".
myi"".
myd"".
frm"".
odb"".
dbf"".
db"".
mdb"".
accdb"".
sql"".
sqlitedb"".
sqlite3"".
asc"".
lay6"".
lay"".
mml"".
sxm"".
otg"".
odg"".
uop"".
std"".
sxd"".
otp"".
odp"".
wb2"".
slk"".
dif"".
stc"".
sxc"".
ots"".
ods"".
3dm"".
max"".
3ds"".
uot"".
stw"".
sxw"".
ott"".
odt"".
pem"".
p12"".
csr"".
crt"".
key"".
pfx"".
der"23Foryourinformation,wewillkeepourTechSupportsiteconstantlyupdatedwithallthedetailsofthecyberattack#WannaCry:http://www.
pandasecurity.
com/usa/support/cardid=1688

展开全文