The sample exploits the ETERNALBLUE SMB vulnerability or DOUBLEPULSAR backdoor for propagation and infection of the ransomware. The sample first connects to the domain name http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com to test network connectivity. If the network is reachable the sample exits; otherwise, the sample carries out subsequent behaviors. Therefore, a reachable domain name can be registered to stop further attacks.
The ransomware sample contains three Bitcoin wallets provided by the attacker. So far, the total balance of the attacker’s wallets is $13623.024035853401. The following figure shows Bitcon information about the wallet with the ID of 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.
The following figure shows the detection result of TAC.
|Source file||DB349B97C37D22F5EA1D1841E3C89EB4||Infects and spreads the sample and drops the ransomware sample.|
|tasksche.exe||DB349B97C37D22F5EA1D1841E3C89EB4||Indicates the ransomware sample.|
- Installing services: This generates the 0 service, exploits the vulnerability, and scans port 445.
- Encrypting files: This encrypts files of the specified formats.
- Conducting network behaviors and exploiting vulnerabilities: This launches further attacks against PCs and spreads the infection by exploiting the ETERNALBLUE vulnerability or the DOUBLEPULSAR backdoor.
|Infection and propagation||Source program||Creates and starts services.
Creates and starts processes for different functions.
|Service installation||Services created by the source program to start mssecsvc2.0 by running the mssecsvc.bin -m security” command||Exploits the vulnerability to spread the ransomware sample.|
|Ransomware||Ransomware C:/WINDOWS/tasksche.exe dropped by the source program. The parameter for starting this ransomware is /i.||Generates a notification file and ransom file and encrypts the ransomware.
Installs the hnjrymny service, which can be started from the following path: C:\ProgramData\hnjrymny834\tasksche.exe.
Sample Execution Process
When the sample starts to execute it first connects to the hard-coded address of the domain name http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com to test the network connectivity. If the network is reachable the sample exits; otherwise, the sample carries out subsequent behaviors.
During execution the sample validates several parameters. If more than one parameter is detected the sample starts the service named mssecsvc2.0. If no parameter is found the sample creates a service named mssecsvc2.0 with the path of C:\Users\Monica\Desktop\mssecsvc.bin -m security.
The sample contains multiple resource files and subsequently frees the resource file with the ID of 1831.
The sample then creates a new file named tasksche.exe and writes it to the resource as ransomware. Subsequently, it creates a process to run this ransomware with /i as the startup parameter.
The ransomware sample also contains multiple resource sections. Through analysis we discovered that the decompression password contained in the sample can successfully decompress the compressed file.
The ransomware sample creates a new service named hnjrymny834 (this is a random string calculated with the computer name as the parameter), with ‘cmd.exe’ C:\ProgramData\hnjrymny834\tasksche.exe as the startup path.
The sample changes the registry and creates a registry key Software\WanaCrypt0r.
When started as a service the sample executes the preset functional function, which is mainly used for scanning computers on a network. If finding any computers unpatched, using the SMB protocol, having port 445 opened, or any computers containing the DOUBLEPULSAR backdoor the sample launches attacks on them.
First, the sample calculates random IP addresses based on the time and then attempts to connect to these IP addresses.
If an IP address is found available (reachable), the sample exploits the vulnerability by creating a thread to send attack packets to that IP address.
The following figure indicates the data sent by the sample.
The following figure validates the data received by the sample from the attack target.
If the vulnerability fails to be successfully exploited the sample checks whether the target contains DOUBLEPULSAR. If yes, it exploits this backdoor to load a malicious DLL.
The following figure verifies the related shellcode.
Currently the linked domain name has been taken over by Sinkhole and has prevented the sample from causing additional damage.
Currently, the ransomware has been propagated widely around the world as depicted in the following figure.
For more information about the related attacker, please purchase an in-depth analysis report on this event from NSFOCUS.
- NSFOCUS engineers provide onsite detection services.
- NSFOCUS online cloud detection: You can log in to NSFOCUS Cloud to apply for a trial use of the scanning service.
NSFOCUS Solutions for Removing Trojans
- Short-term service: NSFOCUS engineers provide the onsite trojan backdoor removal service (manual services + NIPS + TAC) to ensure that risk points are immediately eliminated in the network and the event impact is minimized. After the an event analysis report is provided.
- Mid-term service: NSFOCUS provides 3- to 6-month risk monitoring and preventive maintenance inspection (PMI) services (NIPS + TAC + manual services) to eradicate risks and prevent events from recurring.
- Long-term service: NSFOCUS provides risk solutions for the fund industry (threat intelligence, attack source traceback, and professional security services).
NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems.
The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.
For more information about NSFOCUS, please visit: