{"id":74016,"date":"2017-05-14T14:25:15","date_gmt":"2017-05-14T21:25:15","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=74016"},"modified":"2025-05-27T20:18:14","modified_gmt":"2025-05-28T03:18:14","slug":"analysis-wannacry-ransomware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analysis-wannacry-ransomware\/","title":{"rendered":"Further Analysis of WannaCry Ransomware"},"content":{"rendered":"

McAfee Labs has closely monitored the activity around the ransomware WannaCry. Many sources have reported on this attack and its behavior, including this post<\/a> by McAfee\u2019s Raj Samani and Christiaan Beek and this post <\/a>by Steve Grobman. In the last 24 hours, we have learned more about this malware. These findings mainly concern the malware\u2019s network propagation, Bitcoin activity, and differences in observed variants.<\/p>\n

Malware network behavior<\/h2>\n

WannaCry uses the MS17-010 exploit to spread to other machines through NetBIOS. The malware contains exploits in its body that are used during the exploitation phase.\u00a0These are related to CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148, all based on the MS17-10 security bulletin.<\/p>\n

In many reports we read that the malware generates a list of internal IPs. We found that the malware generates random IP addresses, not limited to the local network. The following is an example attempt at propagation:<\/p>\n

\"\"<\/a><\/p>\n

With this, the malware can spread not only to other machines in same network, but also across the Internet if sites allow NetBIOS packets from outside networks. This could be one reason for the widespread infection seen in this outbreak and why many people are unsure about the initial infection vector of the malware.<\/p>\n

Another interesting characteristic of the malware is that once a machine with an open NetBIOS port is found, the malware will send three NetBIOS session setup packets to it. One has the proper IP of the machine being exploited, and the other two contain two IP addresses hardcoded in the malware body:<\/p>\n

\"\"<\/a><\/p>\n

The preceding packet contains the IP of the machine being exploited. It uses the test network 192.168.0.0\/24. The other two packets, below, contain different IPs that the malware has in its code:<\/p>\n

\"\"<\/a><\/p>\n

\"\"<\/a><\/p>\n

This activity and the presence of two hardcoded IP addresses (192.168.56.20, 172.16.99.5) could be used to detect the exploit using network intrusion prevention systems.<\/p>\n

Server message block (SMB) packets also contain the encrypted payload, which consists of exploit shellcode and the file launcher.dll. During our analysis, we found the malware is encrypted using a 4-byte XOR key, 0x45BF6313.<\/p>\n

\"\"<\/a><\/p>\n

Encrypted payload with the key 0x45BF6313.<\/em><\/p>\n

\"\"<\/a><\/p>\n

Decrypted launcher.dll payload.<\/em><\/p>\n

We also found following x64 shellcode being transferred during network communication over SMB.<\/p>\n

\"\"<\/a><\/p>\n

EternalBlue code.<\/em><\/p>\n

\"\"<\/a><\/p>\n

DoublePulsar code.<\/em><\/p>\n

Worm behavior<\/h2>\n

\"\"<\/a><\/p>\n

Machine A at left, Machine B at right.\u00a0<\/em><\/p>\n

The infection flow to the vulnerable host (Machine B).<\/p>\n

\"\"<\/a><\/p>\n

Kernel mode at left, user mode at right.<\/em><\/p>\n

 <\/p>\n

Infection using kernel exploit<\/h2>\n

In our analysis, we found that on infected machines the SMB driver srv2.sys is vulnerable in kernel module and is exploited by the malware to spread using SMB communication.<\/p>\n

A compromised srv2.sys will inject launcher.dll into the user-mode process lsass.exe, which acts as the loader for mssecsvc.exe. This DLL contains only one export, PlayGame:<\/p>\n

\"\"<\/a><\/p>\n

The code simply extracts the ransomware dropper from the resource shown previously, and starts it using the function CreateProcess:<\/p>\n

\"\"<\/a>\u00a0<\/strong><\/p>\n

\"\"<\/a><\/p>\n

Injected launcher.dll in the lsass.exe address space. <\/em><\/p>\n

<\/h1>\n

Malware variants in the wild<\/h2>\n

As reported by several sources<\/a>, the malware dropper contains code to check to two specific domains before executing its ransomware or the network exploit codes.<\/p>\n