Analysis Report on the WannaCry Sample

The sample exploits the ETERNALBLUE SMB vulnerability or DOUBLEPULSAR backdoor for propagation and infection of the ransomware. The sample first connects to the domain name, to test network connectivity. If the network is reachable, the sample exits; otherwise, the sample carries out subsequent behaviors. Therefore, a reachable domain name can be registered to stop further attacks.

The ransomware sample contains three Bitcoin wallets provided by the attacker. So far, the total balance of the attacker’s wallets is $13623.024035853401. The following figure shows Bitcon information about the wallet with the ID of 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.

Sample Analysis

The following figure shows the detection result of TAC.

  • File Structure

The file list is as follows:

File Name MD5 Function
Source file DB349B97C37D22F5EA1D1841E3C89EB4 Infects and spreads the sample and drops the ransomware sample.
tasksche.exe DB349B97C37D22F5EA1D1841E3C89EB4 Indicates the ransomware sample.
  • Main Functions

  • Installing services: This generates the 0 service, exploits the vulnerability, and scans port 445.
  • Encrypting files: This encrypts files of the specified formats.
  • Conducting network behaviors and exploiting vulnerabilities: This launches further attacks against PCs and spreads the infection by exploiting the ETERNALBLUE vulnerability or the DOUBLEPULSAR backdoor.
Function Parameter Description
Infection and propagation Source program l  Creates and starts services.

l  Creates and starts processes for different functions.

Service installation Services created by the source program to start mssecsvc2.0 by running the mssecsvc.bin -m security” command Exploits the vulnerability to spread the ransomware sample.
Ransomware Ransomware C:/WINDOWS/tasksche.exe dropped by the source program. The parameter for starting this ransomware is /i. l  Generates a notification file and ransom file and encrypts the ransomware.

l  Installs the hnjrymny service, which can be started from the following path: C:\ProgramData\hnjrymny834\tasksche.exe.

The following figure shows the sample execution process.

Some functions involved in the process are described as follows:

When the sample starts to execute, it first connects to the hard-coded address of the domain name to test the network connectivity. If the network is reachable, the sample exits; otherwise, the sample carries out subsequent behaviors.

During execution, the sample checks the number of parameters. If more than one parameter is detected, the sample starts the service named mssecsvc2.0. If no parameter is found, the sample creates a service named mssecsvc2.0, with the path of C:\Users\Monica\Desktop\mssecsvc.bin -m security.

The sample contains multiple resource files and subsequently frees the resource file with the ID of 1831.

Then the sample creates a new file named tasksche.exe and writes it to the resource as ransomware. After that, it creates a process to run this ransomware, with /i as the startup parameter.

The ransomware sample also contains multiple resource sections. Through analysis, we find that the decompression password contained in the sample can successfully decompress the compressed file.

The ransomware sample creates a new service named hnjrymny834 (this is a random string calculated with the computer name as the parameter), with “cmd.exe /c “C:\ProgramData\hnjrymny834\tasksche.exe”” as the startup path.

The sample changes the registry and creates a registry key Software\WanaCrypt0r.

  • Network Behaviors

Network behaviors involve scanning and propagation.

When started as a service, the sample executes the preset functional function, which is mainly used for scanning computers on a network. If finding any computers unpatched, using the SMB protocol, and having port 445 opened, or any computers containing the DOUBLEPULSAR backdoor, the sample launches attacks on them.

First, the sample calculates random IP addresses based on the time and then attempts to connect to these IP addresses.

If an IP address is found available (reachable), the sample exploits the vulnerability by creating a thread to send attack packets to that IP address.

The following figure shows the data sent by the sample.

The following figure shows the data received by the sample from the attack target.

If the vulnerability fails to be successfully exploited, the sample checks whether the target contains DOUBLEPULSAR. If yes, it exploits this backdoor to load a malicious DLL. The following figure shows the related shellcode.

Attack Location

So far, the linked domain name has been taken over by Sinkhole, which, to some extent, prevents the sample from causing more damage.

So far, the ransomware has been propagated widely around the world, as shown in the following figure.

For more information about the related attacker, please purchase an in-depth analysis report on this event from NSFOCUS.

  1. Detection Method
    • NSFOCUS Detection Services
  • NSFOCUS engineers provide onsite detection services.
  • NSFOCUS online cloud detection: You can log in to NSFOCUS Cloud to apply for a trial use of the scanning service.
    • NSFOCUS Solutions for Removing Trojans
  • Short-term service: NSFOCUS engineers provide the onsite trojan backdoor removal service (manual services + NIPS + TAC) to ensure that risk points are immediately eliminated in the network and the event impact is minimized. After the handling, an event analysis report is provided.
  • Mid-term service: NSFOCUS provides 3- to 6-month risk monitoring and preventive maintenance inspection (PMI) services (NIPS + TAC + manual services) to eradicate risks and prevent events from recurring.
  • Long-term service: NSFOCUS provides risk solutions for the fund industry (threat intelligence, attack source traceback, and professional security services).
  1. Appendix

The following table lists file formats that can be encrypted:

.doc” .eml” .bak” .mkv” .bat” .otg”
.docx” .edb” .tar” .3gp” .cmd” .odg”
.docb” .vsd” .tgz” .mp4″ .js” .uop”
.docm” .vsdx” .gz” .mov” .asm” .std”
.dot” .txt” .7z” .avi” .h” .sxd”
.dotm” .csv” .rar” .asf” .pas” .otp”
.dotx” .rtf” .zip” .mpeg” .cpp” .odp”
.xls” .123″ .backup” .vob” .c” .wb2″
.xlsx” .wks” .iso” .mpg” .cs” .slk”
.xlsm” .wk1″ .vcd” .wmv” .suo” .dif”
.xlsb” .pdf” .jpeg” .fla” .sln” .stc”
.xlw” .dwg” .jpg” .swf” .ldf” .sxc”
.xlt” .onetoc2″ .bmp” .wav” .mdf” .ots”
.xlm” .snt” .png” .mp3″ .ibd” .ods”
.xlc” .hwp” .gif” .sh” .myi” .3dm”
.xltx” .602″ .raw” .class” .myd” .max”
.xltm” .sxi” .cgm” .jar” .frm” .3ds”
.ppt” .sti” .tif” .java” .odb” .uot”
.pptx” .sldx” .tiff” .rb” .dbf” .stw”
.pptm” .sldm” .nef” .asp” .db” .sxw”
.pot” .sldm” .psd” .php .mdb” .ott”
.pps” .vdi” .ai” .jsp” .accdb” .odt”
.ppsm” .vmdk” .svg” .brd” .sql” .pem”
.ppsx” .vmx” .djvu” .sch” .sqlitedb” .p12″
.ppam” .gpg” .m4u” .dch” .sqlite3″ .csr”
.potx” .aes” .m3u” .dip” .asc” .crt”
.potm” .ARC” .mid” .pl” .lay6″ .key”
.pst” .PAQ” .wma” .vb” .lay” .pfx”
.ost” .bz2″ .flv” .vbs” .mml” .der”
.msg” .tbk” .3g2″ .ps1″ .sxm”

A ransomware sample can be decompressed as follows:


NSFOCUS Information Technology Co., Ltd. (NSFOCUS) was founded in April 2000, headquartered in Beijing. With more than 30 branches and subsidiaries at home and abroad, the company provides most competitive security products and solutions for governments, carriers, and financial, energy, Internet, education, and medical sectors, ensuring customers’ business continuity.

Based on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. The company provides the intrusion detection/prevention system, anti-DDoS system, remote security assessment system, and web security protection products as well as professional security services for customers.

NSFOCUS Information Technology Co., Ltd. started trading its shares at China’s Nasdaq-style market, ChiNext, in Shenzhen on January 29, 2014, with the name of NSFOCUS and code of 300369.

For more information, you can join our QQ group at 486207500 or 570982169 or call us at 010-68438880-8669.