The sample exploits the ETERNALBLUE SMB vulnerability or DOUBLEPULSAR backdoor for propagation and infection of the ransomware. The sample first connects to the domain name http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, to test network connectivity. If the network is reachable, the sample exits; otherwise, the sample carries out subsequent behaviors. Therefore, a reachable domain name can be registered to stop further attacks.
The ransomware sample contains three Bitcoin wallets provided by the attacker. So far, the total balance of the attacker’s wallets is $13623.024035853401. The following figure shows Bitcon information about the wallet with the ID of 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94.
The following figure shows the detection result of TAC.
The file list is as follows:
|Source file||DB349B97C37D22F5EA1D1841E3C89EB4||Infects and spreads the sample and drops the ransomware sample.|
|tasksche.exe||DB349B97C37D22F5EA1D1841E3C89EB4||Indicates the ransomware sample.|
- Installing services: This generates the 0 service, exploits the vulnerability, and scans port 445.
- Encrypting files: This encrypts files of the specified formats.
- Conducting network behaviors and exploiting vulnerabilities: This launches further attacks against PCs and spreads the infection by exploiting the ETERNALBLUE vulnerability or the DOUBLEPULSAR backdoor.
|Infection and propagation||Source program||l Creates and starts services.|
l Creates and starts processes for different functions.
|Service installation||Services created by the source program to start mssecsvc2.0 by running the mssecsvc.bin -m security” command||Exploits the vulnerability to spread the ransomware sample.|
|Ransomware||Ransomware C:/WINDOWS/tasksche.exe dropped by the source program. The parameter for starting this ransomware is /i.||l Generates a notification file and ransom file and encrypts the ransomware.|
l Installs the hnjrymny service, which can be started from the following path: C:\ProgramData\hnjrymny834\tasksche.exe.
The following figure shows the sample execution process.
Some functions involved in the process are described as follows:
When the sample starts to execute, it first connects to the hard-coded address of the domain name http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com to test the network connectivity. If the network is reachable, the sample exits; otherwise, the sample carries out subsequent behaviors.
During execution, the sample checks the number of parameters. If more than one parameter is detected, the sample starts the service named mssecsvc2.0. If no parameter is found, the sample creates a service named mssecsvc2.0, with the path of C:\Users\Monica\Desktop\mssecsvc.bin -m security.
The sample contains multiple resource files and subsequently frees the resource file with the ID of 1831.
Then the sample creates a new file named tasksche.exe and writes it to the resource as ransomware. After that, it creates a process to run this ransomware, with /i as the startup parameter.
The ransomware sample also contains multiple resource sections. Through analysis, we find that the decompression password contained in the sample can successfully decompress the compressed file.
The ransomware sample creates a new service named hnjrymny834 (this is a random string calculated with the computer name as the parameter), with “cmd.exe /c “C:\ProgramData\hnjrymny834\tasksche.exe”” as the startup path.
The sample changes the registry and creates a registry key Software\WanaCrypt0r.
Network behaviors involve scanning and propagation.
When started as a service, the sample executes the preset functional function, which is mainly used for scanning computers on a network. If finding any computers unpatched, using the SMB protocol, and having port 445 opened, or any computers containing the DOUBLEPULSAR backdoor, the sample launches attacks on them.
First, the sample calculates random IP addresses based on the time and then attempts to connect to these IP addresses.
If an IP address is found available (reachable), the sample exploits the vulnerability by creating a thread to send attack packets to that IP address.
The following figure shows the data sent by the sample.
The following figure shows the data received by the sample from the attack target.
If the vulnerability fails to be successfully exploited, the sample checks whether the target contains DOUBLEPULSAR. If yes, it exploits this backdoor to load a malicious DLL. The following figure shows the related shellcode.
So far, the linked domain name has been taken over by Sinkhole, which, to some extent, prevents the sample from causing more damage.
So far, the ransomware has been propagated widely around the world, as shown in the following figure.
For more information about the related attacker, please purchase an in-depth analysis report on this event from NSFOCUS.
- NSFOCUS engineers provide onsite detection services.
- NSFOCUS online cloud detection: You can log in to NSFOCUS Cloud to apply for a trial use of the scanning service.
- Short-term service: NSFOCUS engineers provide the onsite trojan backdoor removal service (manual services + NIPS + TAC) to ensure that risk points are immediately eliminated in the network and the event impact is minimized. After the handling, an event analysis report is provided.
- Mid-term service: NSFOCUS provides 3- to 6-month risk monitoring and preventive maintenance inspection (PMI) services (NIPS + TAC + manual services) to eradicate risks and prevent events from recurring.
- Long-term service: NSFOCUS provides risk solutions for the fund industry (threat intelligence, attack source traceback, and professional security services).
The following table lists file formats that can be encrypted:
A ransomware sample can be decompressed as follows:
NSFOCUS Information Technology Co., Ltd. (NSFOCUS) was founded in April 2000, headquartered in Beijing. With more than 30 branches and subsidiaries at home and abroad, the company provides most competitive security products and solutions for governments, carriers, and financial, energy, Internet, education, and medical sectors, ensuring customers’ business continuity.
Based on years of research in security assurance, NSFOCUS has set foot in network and terminal security, Internet infrastructure security, and compliance and security management. The company provides the intrusion detection/prevention system, anti-DDoS system, remote security assessment system, and web security protection products as well as professional security services for customers.
NSFOCUS Information Technology Co., Ltd. started trading its shares at China’s Nasdaq-style market, ChiNext, in Shenzhen on January 29, 2014, with the name of NSFOCUS and code of 300369.
For more information, you can join our QQ group at 486207500 or 570982169 or call us at 010-68438880-8669.