Ransomware Wanacry
- Malware
The Wanacry ransomware was active in 2017, it is a malware that encrypts the user's personal files and ransoms them so that victims can recover their data. It propagated on its own by exploiting an SMB server flaw, it is a worm.
Video
Once loaded into memory, it removes any means of restoring the system to an earlier date and any errors at startup :
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
He's encrypting the victim data. Encrypted files can have the extension .wncry. If new files are created after its installation, they too will be encrypted at regular intervals.
It communicates via the discrete network and therefore installs different files to use it:
C:\Users\user\AppData\Roaming\tor 2000-01-01 00:00 - 2000-01-01 00:00 - 000719217 _____ () [File not signed] C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll 2000-01-01 00:00 - 2000-01-01 00:00 - 000523262 _____ () [File not signed] C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll 2000-01-01 00:00 - 2000-01-01 00:00 - 000092599 _____ () [File not signed] C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll 2000-01-01 00:00 - 2000-01-01 00:00 - 000107520 _____ () [File not signed] C:\Users\user\Desktop\TaskData\Tor\zlib1.dll 2000-01-01 00:00 - 2000-01-01 00:00 - 003197106 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Users\user\Desktop\TaskData\Tor\LIBEAY32.dll 2000-01-01 00:00 - 2000-01-01 00:00 - 000711459 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Users\user\Desktop\TaskData\Tor\SSLEAY32.dll
- tor.exe => MD5: fe7eb54691ad6e6af77f8a9a0b6de26d
- libevent-2-0-5.dll => MD5: 90f50a285efa5dd9c7fddce786bdef25
- libeay32.dll => MD5: 6ed47014c3bb259874d673fb3eaedc85
- ssleay32.dll => MD5: a12c2040f6fddd34e7acb42f18dd6bdc
- libevent_extra-2-0-5.dll => MD5: 6d6602388ab232ca9e8633462e683739
- zlib1.dll => MD5: fb072e9f69afdb57179f59b512f828a4
- libssp-0.dll => MD5: 78581e243e2b41b17452da8d0b5b2a48
- libevent_core-2-0-5.dll => MD5: e5df3824f2fcad0c75fd601fcf37ee70
- libgcc_s_sjlj-1.dll => MD5: 73d4823075762ee2837950726baa2af9
In each directory where the encrypted files are located, I found this :
2020-02-21 23:35 - 2020-02-21 23:35 - 000000933 _____ C:\Users\user\Desktop\@Please_Read_Me@.txt 2020-02-21 23:35 - 2020-02-21 23:35 - 000000475 _____ C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk
The link target :
(Microsoft Corporation) [File not signed] C:\Users\user\Desktop\@WanaDecryptor@.exe
Shortcut: C:\ProgramData\Microsoft\Windows NT\MSScan\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\ProgramData\Microsoft\Windows\Ringtones\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\ProgramData\Microsoft\Windows\Caches\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\ProgramData\Microsoft\User Account Pictures\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\ProgramData\Malwarebytes\MBAMService\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\ProgramData\Malwarebytes\MBAMService\config\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\Users\user\Desktop\rapport\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\Users\user\Desktop\malwares\theZoo-master\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\Users\user\AppData\Local\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\Users\Public\Videos\Sample Videos\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation) Shortcut: C:\Users\Public\Music\Sample Music\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
RUN Key:
HKLM\...\Run: [fbqrawoirxak113] => "C:\Users\user\Desktop\tasksche.exe"
Other binaries:
- taskdl.exe => MD5: 4fef5e34143e646dbf9907c4374276f5
- taskhsvc.exe => MD5: fe7eb54691ad6e6af77f8a9a0b6de26d
() [File not signed] C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe
Changing the Office wallpaper:
HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\user\Desktop\@WanaDecryptor@.bmp 2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\Users\sshd_server\Desktop\@WanaDecryptor@.bmp 2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\Users\Public\Desktop\@WanaDecryptor@.bmp 2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\Users\user\Desktop\@WanaDecryptor@.bmp 2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\Users\Default\Desktop\@WanaDecryptor@.bmp 2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\Users\Default User\Desktop\@WanaDecryptor@.bmp 2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\ProgramData\Desktop\@WanaDecryptor@.bmp
Other items:
2020-02-21 23:35 - 2020-02-21 23:36 - 000000136 _____ C:\Users\user\Desktop\00000000.res 2020-02-21 23:35 - 2020-02-21 23:35 - 000001284 _____ C:\Users\user\Desktop\00000000.eky 2020-02-21 23:35 - 2020-02-21 23:35 - 000000922 _____ C:\Users\user\Desktop\f.wnry 2020-02-21 23:35 - 2020-02-21 23:35 - 000000276 _____ C:\Users\user\Desktop\00000000.pky 2020-02-21 23:35 - 2020-02-21 23:35 - 000000000 ____D C:\Users\user\Desktop\msg