Ransomware Wanacry

  • Malware


The Wanacry ransomware was active in 2017, it is a malware that encrypts the user's personal files and ransoms them so that victims can recover their data. It propagated on its own by exploiting an SMB server flaw, it is a worm.
 

 


Video

 


Once loaded into memory, it removes any means of restoring the system to an earlier date and any errors at startup :
vssadmin delete shadows /all /quiet
wmic shadowcopy delete
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no
wbadmin delete catalog -quiet
 
He's encrypting the victim data. Encrypted files can have the extension .wncry. If new files are created after its installation, they too will be encrypted at regular intervals.
 

It communicates via the discrete network and therefore installs different files to use it:

 

C:\Users\user\AppData\Roaming\tor
2000-01-01 00:00 - 2000-01-01 00:00 - 000719217 _____ () [File not signed] C:\Users\user\Desktop\TaskData\Tor\libevent-2-0-5.dll
2000-01-01 00:00 - 2000-01-01 00:00 - 000523262 _____ () [File not signed] C:\Users\user\Desktop\TaskData\Tor\libgcc_s_sjlj-1.dll
2000-01-01 00:00 - 2000-01-01 00:00 - 000092599 _____ () [File not signed] C:\Users\user\Desktop\TaskData\Tor\libssp-0.dll
2000-01-01 00:00 - 2000-01-01 00:00 - 000107520 _____ () [File not signed] C:\Users\user\Desktop\TaskData\Tor\zlib1.dll
2000-01-01 00:00 - 2000-01-01 00:00 - 003197106 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Users\user\Desktop\TaskData\Tor\LIBEAY32.dll
2000-01-01 00:00 - 2000-01-01 00:00 - 000711459 _____ (The OpenSSL Project, hxxp://www.openssl.org/) [File not signed] C:\Users\user\Desktop\TaskData\Tor\SSLEAY32.dll

 

 


In each directory where the encrypted files are located, I found this :

 

2020-02-21 23:35 - 2020-02-21 23:35 - 000000933 _____ C:\Users\user\Desktop\@Please_Read_Me@.txt
2020-02-21 23:35 - 2020-02-21 23:35 - 000000475 _____ C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk

 

The link target :

 

(Microsoft Corporation) [File not signed] C:\Users\user\Desktop\@WanaDecryptor@.exe

 

 

Shortcut: C:\ProgramData\Microsoft\Windows NT\MSScan\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Ringtones\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\Windows\Caches\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\User Account Pictures\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Malwarebytes\MBAMService\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\ProgramData\Malwarebytes\MBAMService\config\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\Users\user\Desktop\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\Users\user\Desktop\rapport\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\Users\user\Desktop\malwares\theZoo-master\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\Users\user\AppData\Local\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\Users\Public\Videos\Sample Videos\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)
Shortcut: C:\Users\Public\Music\Sample Music\@WanaDecryptor@.exe.lnk -> C:\Users\user\Desktop\@WanaDecryptor@.exe (Microsoft Corporation)

 


RUN Key:

 

HKLM\...\Run: [fbqrawoirxak113] => "C:\Users\user\Desktop\tasksche.exe"

 

 


Other binaries:

() [File not signed] C:\Users\user\Desktop\TaskData\Tor\taskhsvc.exe

 


Changing the Office wallpaper:

 

HKU\S-1-5-21-3583694148-1414552638-2922671848-1000\Control Panel\Desktop\\Wallpaper -> C:\Users\user\Desktop\@WanaDecryptor@.bmp
2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\Users\sshd_server\Desktop\@WanaDecryptor@.bmp
2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\Users\Public\Desktop\@WanaDecryptor@.bmp
2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\Users\user\Desktop\@WanaDecryptor@.bmp
2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\Users\Default\Desktop\@WanaDecryptor@.bmp
2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\Users\Default User\Desktop\@WanaDecryptor@.bmp
2020-02-21 23:35 - 2017-05-11 20:13 - 001440054 _____ C:\ProgramData\Desktop\@WanaDecryptor@.bmp

 


Other items:

 

2020-02-21 23:35 - 2020-02-21 23:36 - 000000136 _____ C:\Users\user\Desktop\00000000.res
2020-02-21 23:35 - 2020-02-21 23:35 - 000001284 _____ C:\Users\user\Desktop\00000000.eky
2020-02-21 23:35 - 2020-02-21 23:35 - 000000922 _____ C:\Users\user\Desktop\f.wnry
2020-02-21 23:35 - 2020-02-21 23:35 - 000000276 _____ C:\Users\user\Desktop\00000000.pky
2020-02-21 23:35 - 2020-02-21 23:35 - 000000000 ____D C:\Users\user\Desktop\msg