It is currently unclear whether this payload is delivered via malicious attachment or through the WAN using the FuzzBunch EternalBlue SMB exploit.
The malware behaves much like typical ransomware during execution on the victim’s machine.
Below are the operations that are ran via cmd.exe:
/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
/c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v “zvcytmeqpytz910” /t REG_SZ /d “\”C:\tasksche.exe\”” /f
Deletes shadow copies, disables recovery, and sets the “ignoreallfailures” at startup. Victims are reporting that the machines are getting the BSoD or being prompted to reboot. Once rebooted, they are greeted with the ransom.
Palo Alto Networks Customers with Threat Subscription
Palo Alto Networks released this emergency content update to modify coverage for a Microsoft SMB Remote Code Execution Vulnerability for exploits seen in the wild related to the WanaCryptor ransomware attacks. Customers are advised to upgrade all firewalls and appliances to the latest version of Content Apps and Threats and review policies to ensure desired actions are configured on all security policies.
Modified Vulnerability Signatures (1)
Severity | ID | Attack Name | CVE ID | Vendor ID | Default Action | Minimum PAN-OS Version |
critical | 32422 | Microsoft Windows SMB Remote Code Execution Vulnerability | CVE-2017-0144 CVE-2017-0146 |
MS17-010 | reset-both | 5.0.0 |
SNORT Emerging Threat Rule
Sandbox Analysis
- https://www.hybrid-analysis.com/sample/57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4?environmentId=100
- https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa/?environmentId=100
- https://www.hybrid-analysis.com/sample/b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25?environmentId=100
Indicators of Compromise
IP Addresses and Domains
IPv4 197(.)231.221.211
IPv4 128(.)31.0.39
IPv4 149(.)202.160.69
IPv4 46(.)101.166.19
IPv4 91(.)121.65.179
URL hxxp://www(.)btcfrog(.)com/qr/bitcoinpng(.)php?address
URL hxxp://www(.)rentasyventas(.)com/incluir/rk/imagenes(.)html
URL hxxp://www(.)rentasyventas(.)com/incluir/rk/imagenes(.)html?retencion=081525418
URL hxxp://gx7ekbenv2riucmf(.)onion
URL hxxp://57g7spgrzlojinas(.)onion
URL hxxp://xxlvbrloxvriy2c5(.)onion
URL hxxp://76jdd2ir2embyv47(.)onion
URL hxxp://cwwnhwhlz52maqm7(.)onion
URL hxxp://197.231.221(.)211 Port:9001
URL hxxp://128.31.0(.)39 Port:9191
URL hxxp://149.202.160(.)69 Port:9001
URL hxxp://46.101.166(.)19 Port:9090
URL hxxp://91.121.65(.)179 Port:9001
Hashes
https://gist.github.com/Blevene/42bed05ecb51c1ca0edf846c0153974a
Hash-MD5 | 5a89aac6c8259abbba2fa2ad3fcefc6e |
Hash-MD5 | 05da32043b1e3a147de634c550f1954d |
Hash-MD5 | 8e97637474ab77441ae5add3f3325753 |
Hash-MD5 | c9ede1054fef33720f9fa97f5e8abe49 |
Hash-MD5 | f9cee5e75b7f1298aece9145ea80a1d2 |
Hash-MD5 | 638f9235d038a0a001d5ea7f5c5dc4ae |
Hash-MD5 | 80a2af99fd990567869e9cf4039edf73 |
Hash-MD5 | c39ed6f52aaa31ae0301c591802da24b |
Hash-MD5 | db349b97c37d22f5ea1d1841e3c89eb4 |
Hash-MD5 | f9992dfb56a9c6c20eb727e6a26b0172 |
Hash-MD5 | 46d140a0eb13582852b5f778bb20cf0e |
Hash-MD5 | 5bef35496fcbdbe841c82f4d1ab8b7c2 |
Hash-MD5 | 3c6375f586a49fc12a4de9328174f0c1 |
Hash-MD5 | 246c2781b88f58bc6b0da24ec71dd028 |
Hash-MD5 | b7f7ad4970506e8547e0f493c80ba441 |
Hash-MD5 | 2b4e8612d9f8cdcf520a8b2e42779ffa |
Hash-MD5 | c61256583c6569ac13a136bfd440ca09 |
Hash-MD5 | 31dab68b11824153b4c975399df0354f |
Hash-MD5 | 54a116ff80df6e6031059fc3036464df |
Hash-MD5 | d6114ba5f10ad67a4131ab72531f02da |
Hash-MD5 | 05a00c320754934782ec5dec1d5c0476 |
Hash-MD5 | f107a717f76f4f910ae9cb4dc5290594 |
Hash-MD5 | 7f7ccaa16fb15eb1c7399d422f8363e8 |
Hash-MD5 | 84c82835a5d21bbcf75a61706d8ab549 |
Hash-MD5 | bec0b7aff4b107edd5b9276721137651 |
Hash-MD5 | 86721e64ffbd69aa6944b9672bcabb6d |
Hash-MD5 | 509c41ec97bb81b0567b059aa2f50fe8 |
Hash-MD5 | 8db349b97c37d22f5ea1d1841e3c89eb |
Hash-SHA1 | 6fbb0aabe992b3bda8a9b1ecd68ea13b668f232e |
Hash-SHA256 | 0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894 |
Hash-SHA256 | 21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd |
Hash-SHA256 | 228780c8cff9044b2e48f0e92163bd78cc6df37839fe70a54ed631d3b6d826d5 |
Hash-SHA256 | 2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450 |
Hash-SHA256 | 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d |
Hash-SHA256 | 3ecc7b1ee872b45b534c9132c72d3523d2a1576ffd5763fd3c23afa79cf1f5f9 |
Hash-SHA256 | 43d1ef55c9d33472a5532de5bbe814fefa5205297653201c30fdc91b8f21a0ed |
Hash-SHA256 | 49fa2e0131340da29c564d25779c0cafb550da549fae65880a6b22d45ea2067f |
Hash-SHA256 | 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 |
Hash-SHA256 | 616e60f031b6e7c4f99c216d120e8b38763b3fafd9ac4387ed0533b15df23420 |
Hash-SHA256 | 66334f10cb494b2d58219fa6d1c683f2dbcfc1fb0af9d1e75d49a67e5d057fc5 |
Hash-SHA256 | 8b52f88f50a6a254280a0023cf4dc289bd82c441e648613c0c2bb9a618223604 |
Hash-SHA256 | 8c3a91694ae0fc87074db6b3e684c586e801f4faed459587dcc6274e006422a4 |
Hash-SHA256 | aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56 |
Hash-SHA256 | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
Hash-SHA256 | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
Hash-SHA256 | f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494 |
Hash-SHA256 | 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa |
Hash-SHA256 | 149601e15002f78866ab73033eb8577f11bd489a4cea87b10c52a70fdf78d9ff |
Hash-SHA256 | 190d9c3e071a38cb26211bfffeb6c4bb88bd74c6bf99db9bb1f084c6a7e1df4e |
Hash-SHA256 | 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c |
Hash-SHA256 | 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd |
Hash-SHA256 | 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982 |
Hash-SHA256 | 593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af |
Hash-SHA256 | 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec |
Hash-SHA256 | 7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff |
Hash-SHA256 | 9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640 |
Hash-SHA256 | 9fb39f162c1e1eb55fbf38e670d5e329d84542d3dfcdc341a99f5d07c4b50977 |
Hash-SHA256 | b47e281bfbeeb0758f8c625bed5c5a0d27ee8e0065ceeadd76b0010d226206f0 |
Hash-SHA256 | b66db13d17ae8bcaf586180e3dcd1e2e0a084b6bc987ac829bbff18c3be7f8b4 |
Hash-SHA256 | c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9 |
Hash-SHA256 | d8a9879a99ac7b12e63e6bcae7f965fbf1b63d892a8649ab1d6b08ce711f7127 |
Hash-SHA256 | f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85 |
Hash-SHA256 | 11d0f63c06263f50b972287b4bbd1abe0089bc993f73d75768b6b41e3d6f6d49 |
Hash-SHA256 | 16493ecc4c4bc5746acbe96bd8af001f733114070d694db76ea7b5a0de7ad0ab |
Hash-SHA256 | 6bf1839a7e72a92a2bb18fbedf1873e4892b00ea4b122e48ae80fac5048db1a7 |
Hash-SHA256 | b3c39aeb14425f137b5bd0fd7654f1d6a45c0e8518ef7e209ad63d8dc6d0bac7 |
Hash-SHA256 | e14f1a655d54254d06d51cd23a2fa57b6ffdf371cf6b828ee483b1b1d6d21079 |
Hash-SHA256 | e8450dd6f908b23c9cbd6011fe3d940b24c0420a208d6924e2d920f92c894a96 |