Now compiled with fpc 3.0/lazarus 1.6 (Previously 2.7/1.1) Signed with a sha256 signature as well (for OS'es that support it)Ĭhanged Ultimap to use an official way to get the perfmon interrupt instead of IDT hooking (less BSOD on win10) Groupscans now deal with alignment issues better
The second thread generates random IPs and attempts to connect to them on port 445.Fixed increased value by/decreased value by for float valuesįixed disassembling/assembling some instructions (64-bit)įixed the autoassembler tokenizing wrong wordsįixed several bugs related to the structure dissect window (mainly shown when autodestroy was on) This packet is hand-crafted and hard-coded into the malware. One of the unique features of this traffic is an SMB Tree Connect AndX Request containing the following UNICODE string: Figure 1: WannaCry network traffic attempting SMB exploit An example of an attempt to exploit MS17-010 on a remote system can be seen in Figure 1. Each of these threads attempts to connect to the IP on port 445 and, if successful, attempts exploitation of the service via a vulnerability described in MS17-010. The malware then generates a thread for each IP on the subnet. The malware continues by spawning two threads, the first thread enumerates the network adapters and determines which subnets the system is on. The W resource in each case has been populated with a copy of the running binary (MD5: db349b97c37d22f5ea1d1841e3c89eb4). Each one contains a single export named PlayGame that loads the W resource, writes it to C:\WINDOWS\mssecsvc.exe, and executes it. The malware then builds two DLLs in memory – they are 32 and 64-bit DLLs that have identical functionality. This crypto context is later used to generate random numbers.
The spreader begins by setting up the Windows socket APIs and generating a RSA crypto context. This execution is performed in a thread, and the service exits after 24 hours regardless of the status of the thread.
This allows remote code execution and enables spreading across the network. The malware then executes the service function, which registers the service handlers and attempts exploitation of MS17-010 against identified SMB services. In service mode, the malware first updates the service config so that failure actions occur if the service exits without entering a SERVICE_STOPPED state. Organizations may wish to adjust their proxy configurations or other network configurations to avoid this problem. Note: Network proxies and other enterprise network security features may prevent the malware from contacting its killswitch domain and inadvertently trigger encryption. If zero, the malware continues with installation otherwise it enters service mode. If the connection fails, however, the malware checks the number of arguments passed to the program. For a list of observed killswitch domains, see Appendix A.
Create a Free Mandiant Advantage Account.