WannaCry (also known as WCry or WanaCryptor) malware is a self-propagating (worm-like) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block (SMB) protocol, MS17-010. The WannaCry malware consists of two distinct components, one that provides ransomware functionality and a component used for propagation, which contains functionality to enable SMB exploitation capabilities.

The malware leverages an exploit, codenamed “EternalBlue”, that was released by the Shadow Brokers on April 14, 2017.

The malware appends encrypted data files with the .WCRY extension, drops and executes a decryptor tool, and demands $300 or $600 USD (via Bitcoin) to decrypt the data.

The malware uses encrypted Tor channels for command and control (C2) communications.

File Characteristics

Table 1: File characteristics

Persistence Mechanism

The malware creates the following two registry run keys to ensure persistence:

• Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Random>

Value: <Full_path>\tasksche.exe

• Key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Random>

Value: <Full_path>\tasksche.exe

The malware creates the following service to ensure persistence of mssecsvc.exe:

• ServiceName: mssecsvc2.0
• DisplayName: Microsoft Security Center (2.0) Service
• BinaryPath: <path to mssecsvc> -m security

The malware creates the following service to ensure persistence of tasksche.exe

• ServiceName: <8-15lower><3number>
• DisplayName: <Same as Service Name>
• BinaryPath <path to tashsche.exe>

Host-Based Signatures

File System Artifacts

Checksum

• Actual: 0x00018AF7
• Header: 0x00000000

Dropped Files

Loader Files

• Name: tasksche.exe
  Path: C:\WINDOWS\
  Path: <system_drive>\ProgamData\<sys_id>
  Path: <system_drive>\Intel\<sys_id>
  MD5: 84c82835a5d21bbcf75a61706d8ab549
• Name: qeriuwjhrf
  Path: C:\WINDOWS\
• Name: m_bulgarian.wnry
  Path: %CD%\msg\
  MD5: 95673b0f968c0f55b32204361940d184
• Name: m_chinese (simplified).wnry
  Path: %CD%\msg\
  MD5: 0252d45ca21c8e43c9742285c48e91ad
• Name: m_chinese (traditional).wnry
  Path: %CD%\msg\
  MD5: 2efc3690d67cd073a9406a25005f7cea
• Name: m_croatian.wnry
  Path: %CD%\msg\
  MD5: 17194003fa70ce477326ce2f6deeb270
• Name: m_czech.wnry
  Path: %CD%\msg\
  MD5: 537efeecdfa94cc421e58fd82a58ba9e
• Name: m_danish.wnry
  Path: %CD%\msg\
  MD5: 2c5a3b81d5c4715b7bea01033367fcb5
• Name: m_dutch.wnry
  Path: %CD%\msg\
  MD5: 7a8d499407c6a647c03c4471a67eaad7
• Name: m_english.wnry
  Path: %CD%\msg\
  MD5: fe68c2dc0d2419b38f44d83f2fcf232e
• Name: m_filipino.wnry
  Path: %CD%\msg\
  MD5: 08b9e69b57e4c9b966664f8e1c27ab09
• Name: m_finnish.wnry
  Path: %CD%\msg\
  MD5: 35c2f97eea8819b1caebd23fee732d8f
• Name: m_french.wnry
  Path: %CD%\msg\
  MD5: 4e57113a6bf6b88fdd32782a4a381274
• Name: m_german.wnry
  Path: %CD%\msg\
  MD5: 3d59bbb5553fe03a89f817819540f469
• Name: m_greek.wnry
  Path: %CD%\msg\
  MD5: fb4e8718fea95bb7479727fde80cb424
• Name: m_indonesian.wnry
  Path: %CD%\msg\
  MD5: 3788f91c694dfc48e12417ce93356b0f
• Name: m_italian.wnry
  Path: %CD%\msg\
  MD5: 30a200f78498990095b36f574b6e8690
• Name: m_japanese.wnry
  Path: %CD%\msg\
  MD5: b77e1221f7ecd0b5d696cb66cda1609e
• Name: m_korean.wnry
  Path: %CD%\msg\
  MD5: 6735cb43fe44832b061eeb3f5956b099
• Name: m_latvian.wnry
  Path: %CD%\msg\
  MD5: c33afb4ecc04ee1bcc6975bea49abe40
• Name: m_norwegian.wnry
  Path: %CD%\msg\
  MD5: ff70cc7c00951084175d12128ce02399
• Name: m_polish.wnry
  Path: %CD%\msg\
  MD5: e79d7f2833a9c2e2553c7fe04a1b63f4
• Name: m_portuguese.wnry
  Path: %CD%\msg\
  MD5: fa948f7d8dfb21ceddd6794f2d56b44f
• Name: m_romanian.wnry
  Path: %CD%\msg\
  MD5: 313e0ececd24f4fa1504118a11bc7986
• Name: m_russian.wnry
  Path: %CD%\msg\
  MD5: 452615db2336d60af7e2057481e4cab5
• Name: m_slovak.wnry
  Path: %CD%\msg\
  MD5: c911aba4ab1da6c28cf86338ab2ab6cc
• Name: m_spanish.wnry
  Path: %CD%\msg\
  MD5: 8d61648d34cba8ae9d1e2a219019add1
• Name: m_swedish.wnry
  Path: %CD%\msg\
  MD5: c7a19984eb9f37198652eaf2fd1ee25c
• Name: m_turkish.wnry
  Path: %CD%\msg\
  MD5: 531ba6b1a5460fc9446946f91cc8c94b
• Name: m_vietnamese.wnr
  Path: %CD%\msg\
  MD5: 8419be28a0dcec3f55823620922b00fa
• Name: t.wnry
  Path: %CD%
  MD5: 5dcaac857e695a65f5c3ef1441a73a8f
  Description: Encrypted Encryption Tool
• Name: taskdl.exe
  Path: %CD%
  MD5: 4fef5e34143e646dbf9907c4374276f5
  Description: Support tool for removing temporary files
• Name: taskse.exe
  Path: %CD%
  MD5: 8495400f199ac77853c53b5a3f278f3e
  Description: Support tool for launch Decryption Tool
• Name: u.wnry
  Path: %CD%
  MD5: 7bf2b57f2a205768755c07f238fb32cc
  Description: Decryption Tool
• File: b.wnry
  Path: %CD%
  MD5: c17170262312f3be7027bc2ca825bf0c
  Description: Ransom Image (BMP)
• Name: c.wnry
  Path: %CD%
  MD5: ae08f79a0d800b82fcbe1b43cdbdbefc
  Description: Config Data

Encryptor Files

• 00000000.res
• 00000000.pky
• 00000000.eky
• 00000000.dky

Decryptor Files

• c.wnry
• File: taskhsvc.exe
  Path: TaskData\Tor\

The following artifact can be found on remotely exploited systems:

• Name: mssecsvc.exe
  Path: C:\WINDOWS\
  MD5: db349b97c37d22f5ea1d1841e3c89eb4
  Description: Dropper + worm component

Registry Artifacts

• ServiceName: mssecsvc2.0
  DisplayName: Microsoft Security Center (2.0) Service
  BinaryPath: <GetModuleFileName> -m security
• HKLM\Software\WanaCrypt0r\wd
• HKCU\Software\WanaCrypt0r\wd

Exports

• 0x00005AE0 TaskStart

Mutex

• MsWinZonesCacheCounterMutexA

Process Arguments

• icacls . /grant Everyone:F /T /C /Q
• attrib +h +s <Drive_Letter>:\$RECYCLE
• taskkill.exe /f /im Microsoft.Exchange.\*
• taskkill.exe /f /im MSExchange\*
• taskkill.exe /f /im sqlserver.exe
• taskkill.exe /f /im sqlwriter.exe
• taskkill.exe /f /im mysqld.exe
• cmd.exe /c start /b @WanaDecryptor@.exe vs
• cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -q
• -m security
• cmd /c <15 digits>.bat
• cscript.exe //nologo <1 character>.vbs

Network-Based Signatures

DNS

• www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (sinkholed)

Connections

• <random_ip>:445 
• <subnet_ip>:445

WannaCry Analysis

Startup

The malware starts by attempting to connect to the following domain with InternetOpenUrl:

• www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

NOTE: If this succeeds, the malware immediately exits. For a list of observed killswitch domains, see Appendix A.

If the connection fails, however, the malware checks the number of arguments passed to the program. If zero, the malware continues with installation; otherwise it enters service mode.

Note: Network proxies and other enterprise network security features may prevent the malware from contacting its killswitch domain and inadvertently trigger encryption. Organizations may wish to adjust their proxy configurations or other network configurations to avoid this problem.

Service Mode

In service mode, the malware first updates the service config so that failure actions occur if the service exits without entering a SERVICE_STOPPED state. The malware then executes the service function, which registers the service handlers and attempts exploitation of MS17-010 against identified SMB services. This allows remote code execution and enables spreading across the network. This execution is performed in a thread, and the service exits after 24 hours regardless of the status of the thread.

The spreader begins by setting up the Windows socket APIs and generating a RSA crypto context. This crypto context is later used to generate random numbers. The malware then builds two DLLs in memory – they are 32 and 64-bit DLLs that have identical functionality. Each one contains a single export named PlayGame that loads the W resource, writes it to C:\WINDOWS\mssecsvc.exe, and executes it. The W resource in each case has been populated with a copy of the running binary (MD5: db349b97c37d22f5ea1d1841e3c89eb4).

The malware continues by spawning two threads, the first thread enumerates the network adapters and determines which subnets the system is on. The malware then generates a thread for each IP on the subnet. Each of these threads attempts to connect to the IP on port 445 and, if successful, attempts exploitation of the service via a vulnerability described in MS17-010. An example of an attempt to exploit MS17-010 on a remote system can be seen in Figure 1.

One of the unique features of this traffic is an SMB Tree Connect AndX Request containing the following UNICODE string:  

• \\192.168.56.20\IPC$

This packet is hand-crafted and hard-coded into the malware.

The second thread generates random IPs and attempts to connect to them on port 445. If the connection is successful, the malware then attempts to perform the SMB attack on the system. 128 instances of the second thread area created with two seconds separating each thread creations.

Installation

The malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the arguments "-m security". Once created, the malware starts the service. The malware then locates its R resource and loads it into memory. The malware then writes the R resource data to the file C:\WINDOWS\tasksche.exe. The malware executes C:\WINDOWS\tasksche.exe /i with the CreateProcess API. The malware then attempts to move C:\WINDOWS\tasksche.exe to C:\WINDOWS\qeriuwjhrf, replacing the original file if it exists.

The malware begins by generating a unique identifier based on the computer name. The identifier, <sys_id>, has the form of 8-15 random lowercase characters followed by 3 numbers. The malware then checks to see if it was passed the /i argument.

Run with /i Command

The /i command copies the running binary to <system_drive>\ProgamData\<sys_id>\tasksche.exe if <system_drive>\ProgamData exists, otherwise it will be copied to <system_drive>\Intel\<sys_id>\tasksche.exe. <system_drive>is the drive letter on which Windows was installed (C:\ for C:\Windows). The malware then updates its current directory to the created directory.

The malware then attempts to open the service named <sys_id>. If it does not exist, the malware creates it with a DisplayName of <sys_id> and a BinaryPath of cmd /c <path_to_copied tasksche.exe>. The malware then starts the service. The malware attempts to open the mutex Global\MsWinZonesCacheCounterMutexA0. If the mutex is not created within 60 seconds, the malware re-lauches itself from the new installation directory with no arguments. The malware then waits 60 seconds for the mutex to be created. If the mutex is created in either instance, the initial executable exits. If the mutex fails to be created, the malware continues as if it was run without the /i argument.

Run without /i Command

The malware updates %CD% to the path of the running module and sets HKLM\Software\WanaCrypt0r\wd to %CD%. The malware then loads the XIA resource and decompresses numerous files (see Table 3) to %CD%. The malware then opens %CD%\c.wnry (the configuration data) and loads it into memory. It expects the file to be of size 0x30C. The malware then chooses randomly between the three strings 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94, 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn; writes it to offset 0xB2 in the configuration file; and writes the updated configuration data back to %CD%\c.wnry.

The malware then sets the hidden attribute for %CD% by executing the following command with CreateProcess:

• attrib +h

The malware then executes the following command – granting all users permissions to %CD% and all of its subdirectories:

• icacls . /grant Everyone:F /T /C /Q

The malware then imports the hard-coded RSA Private key, shown in Figure 2.

The malware then opens and reads %CD%\t.wnry. The first 8 bytes of the file are checked to match the magic value WANACRY!. The file has the following structure:

The encrypted key decrypts to the 128-bit AES key BEE19B98D2E5B12211CE211EECB13DE6. This key can then be used to decrypt the enc_data. The decrypted data is saved as a DLL (MD5: f351e1fcca0c4ea05fc44d15a17f8b36). This DLL is then manually loaded into memory and the TaskStart export is called. The TaskStart export of the decrypted DLL is the encryption component of the ransomware.

XIA Resource Contents

The files shown in Table 2 are extracted from the XIA resource. They are dropped into the %CD% of the running malware.

Table 2: XIA extracted resources

Table 3 shows RTF documents containing the ransom note in various languages.

Table 3: Ransom notes in various languages

Encryption Component

The TaskStart export takes two arguments; the handle to the module and an integer that must be zero. TaskStart first creates a mutex named "MsWinZonesCacheCounterMutexA" and reads the contents of c.wnry from the current directory. If the mutex exists or c.wnry is not present, the malware exits. The malware creates another mutex named "Global\MsWinZonesCacheCounterMutexA0".

The malware then loads and verifies a key from the file 00000000.dky. The malware then attempts to load a key 00000000.pky. If the key does not exist, the malware imports a public RSA key (seen in Figure 3), generates a new 2048-bit RSA key and saves the public key to 00000000.pky. The malware then saves the generated private key to 00000000.eky, encrypted with the embedded public key.

The 00000000.eky starts with the number of bytes in little endian (0x500) followed by the encrypted key.

The malware launches a thread that writes 136 bytes to 00000000.res every 25 seconds. The buffer written includes the current time of the system. If the file 00000000.res does not exist while the malware is initializing, it creates the file. The initial contents begins with eight randomly generated bytes followed by 128 zero bytes.

The malware launches another thread that verifies it can encrypt and decrypt using the keys contained in 00000000.dky and 00000000.pky every 25 seconds. If the decryption is successful, the malware sets a global flag that stops the encryption process.

The malware launches another thread that scans for new drives attached to the system every three seconds. If a new drive is attached to the system and is not identified as a type CDROM drive, the malware begins the encryption process on the new drive. On new drives attached to the system, the malware may create the directory <Drive_letter>:\$RECYCLE and execute the following command:

• attrib +h +s <Drive_Letter>:\$RECYCLE

The malware creates a thread that executes the process taskdl.exe every 30 seconds.

and creates another thread that executes either of the following two binaries (depending on administrator permissions and if the malware is running at system level):

• @WanaDecryptor@.exe
• taskse.exe <Full_Path>\@WanaDecryptor@.exe

A registry key name starting with 8 to 15 characters between 'a' and 'z' followed by three random values between '0' and '9' is then generated by the malware. It may then create the following registry paths with the generated key name:

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Key>
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Key>

To create the registry key, the malware executes the following command:

• cmd.exe /c reg add <Registry_Ru_Path> /v "<Random>" /t REG_SZ /d "\"<Full_Path>\tasksche.exe\"" /f

User File Encryption

The malware loads another embedded RSA public key shown in Figure 4.

The malware executes the file @WanaDecryptor@.exe with the argument "fi". This appears to be an initial check-in with the server and the response may contain an updated bitcoin address. The malware updates c.wnry with the current time at offset 0x60.

The malware then copies u.wrny to @WanaDecryptor@.exe and executes the script shown in Figure 5 to create @WanaDecryptor@.exe.lnk. The script is saved to a randomly generated filename based on the current time and a random value using characters from '0' to '9'. Example filename: "188391494652743.bat".

The malware then writes either "$<Value>worth of bitcoin" or "%.<Value> BTC" depending on the configuration – followed by the contents of the file r.wnry to @Please_Read_Me@.txt, which reads as follows:

Q: What's wrong with my files?

A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
    If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
    Let's start decrypting!

Q: What do I do?

A: First, you need to pay service fees for the decryption.
    Please send <Ransom Amount> to this bitcoin address: <Bitcoin_address>

    Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
    Run and follow the instructions! (You may need to disable your antivirus for a while.)

Q: How can I trust?

A: Don't worry about decryption.
    We will decrypt your files surely because nobody will trust us if we cheat users.

*   If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.

The malware then targets files on the user's desktop and documents folders. When the malware starts scanning a directory it creates a temporary file with the prefix "~SD", and deletes it if successful.

When selecting which files to encrypt, the malware skips over files with .exe, .dll, and .wncry extensions. The files with the extensions shown in Figure 7 are selected for encryption. Files larger than 209,715,200 bytes may also be encrypted.

The malware may ignore folders with the following names:

• \\
• $\
• Intel
• ProgramData
• WINDOWS
• Program Files
• Program Files (x86)
• AppData\Local\Temp
• Local Settings\Temp
• Temporary Internet Files
• Content.IE5

The malware will also compare folder names with the following string, and avoid encryption if identified:

• " This folder protects against ransomware. Modifying it will reduce protection"

Note: The string contains a leading whitespace. This particular check is likely included for testing/development purposes.

When a directory contains a file that will be encrypted, the malware copies @Please_Read_Me@.txt and @WanaDecryptor@.exe to the directory. It verifies that the first eight bytes do not contain the string WANACRY! and performs additional checks on the header to verify the file is not already encrypted.

The files are encrypted with a randomly generated 128-bit AES key in CBC mode with a NULL initialization vector. The key is generated per file, is encrypted with the generated RSA public key, and included in the encrypted file header. Each file encrypted by the malware starts with the string WANACRY! and has the WNCRY extension. Depending on the file properties, the malware may also stage files in a WNCRYT extension.

Table 4 shows the file format of encrypted files.

Table 4: Encrypted file format

When encrypting the AES key with RSA, the malware may use the embedded RSA key or a key randomly generated. If the file f.wnry does not exist during initilazation, the malware generates a random number if the file size is less than 209,715,200 bytes. If the number is a multiple of 100, the malware uses the embedded RSA key to encrypt the AES key. A maximum of ten files can be encrypted with this key. When an AES key is encrypted with this RSA key, the malware writes the file path to the file f.wnry. If the random number is not a multiple of 100 or the file f.wnry already exists on the system, the malware will encrypt the AES key with the randomly generated RSA key.

Once the malware completes encrypting the desktop and documents folders, it executes the following commands:

• taskkill.exe /f /im Microsoft.Exchange.\*
• taskkill.exe /f /im MSExchange\*
• taskkill.exe /f /im sqlserver.exe
• taskkill.exe /f /im sqlwriter.exe
• taskkill.exe /f /im mysqld.exe

The malware then encrypts files found on logical drives attached to the system that are not type DRIVE_CDROM.

The malware may execute the command:

• @WanaDecryptor@.exe co

The malware executes the command:

• cmd.exe /c start /b @WanaDecryptor@.exe vs

The malware will copy b.wnry to @WanaDecryptor@.bmp and place it in each user’s desktop folder, as well as a copy of @WanaDecryptor@.exe.

Decryptor Component

The malware communicates with an Onion server using a Tor server running on local host TCP port 9050. The malware registers the system with the Onion server, transferring encryption keys and deleting volume shadows. Once the ransom is paid, the malware obtains the decrypted RSA private key from the Onion server and decrypts ransomed files.

It first attempts to read the contents of the registry path HKLM\Software\WanaCrypt0r\wd. If this fails, the malware attempts to read the contents from a similar registry path within the HKCU registry hive. If one of the registry paths exists, the malware sets the current directory to value read from the registry.

The malware attempts to open c.wnry from the current directory and read 780 bytes if it exists. If the file does not exist, the file is created with the contents shown in Figure 8.

The value at offset 0x6c (0x59140342) in c.wnry is the timestamp the file was created. The remaining values are hardcoded within the binary.

Accepted Commands

The decryptor component accepts the command line arguments shown in Table 5.

Table 5: Accepted commands

fi Argument

The malware reads 136 bytes from the file "00000000.res" in the current path. If the file does not exist the malware exits. The malware reads two URLs from c.wnry at offsets 0x242 and 0x1DE.

The first URL at offset 0x1DE in c.wnry is:

• https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip

The alternate URL at offset 0x242 is not configured.

The malware then binds a TCP socket to the localhost (127.0.0.1) and connects to port 9050 on the localhost.

The malware then checks if the path "TaskData\Tor\taskhsvc.exe" exists. If the file does not exist it is extracted from the archive s.wnry. If s.wnry does not exist, the malware downloads the first URL in the configuration – and if this fails it attempts the second.

When downloading from a URL, the downloaded file is first saved to a filename generated with GetTempFileNameA with a "t" prefix within the TaskData folder. The downloaded file is a Zip archive that is extracted to the "TaskData" folder.

Once extracted, the malware copies "TaskData\Tor\tor.exe" to "TaskData\Tor\taskhsvc.exe" and executes it.

The malware parses the string obtained at offset 0xE4 in the configuration file c.wnry for Onion servers to connect to. The Onion servers listed in the configuration file are as follows:

• gx7ekbenv2riucmf.onion
• 57g7spgrzlojinas.onion
• xxlvbrloxvriy2c5.onion
• 76jdd2ir2embyv47.onion
• cwwnhwhlz52maqm7.onion

The malware sends the first eight bytes of the file 00000000.res, the host name, user name and the string "+++" to the Onion server. The command and control protocol appears to be custom and XOR encoded with a randomly generated buffer.

The response from the server is added to c.wnry if the string is 30 to 50 characters in length. The following is an example message sent to the server:

• <8 bytes from 00000000.res><Host name>\x00<Unknown Byte><User name>\x00+++

co Argument

This argument the malware scans for file names in the format <8_Uppercase_Hex>.res. The file the malware is likely looking for is 00000000.res that is created by the encryption DLL.  The malware then generates a C2 message containing four values (Table 6) obtained from the ".res" file in the following format:

• --- <Time0> <Time1> <Unknown_int0> <Unknown_long> <Index>

Note: In the aforementioned example, the values are separated with a TAB character.

Table 6: C2 message values

Figure 9 shows an example of a message.

After sending the message, the malware exits.

vs Argument

The malware sleeps for 10 seconds and then executes the following command using CreateProcess or RunAs (depending on group membership):

• cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -q

No Argument

The malware copies b.wnry from the current directory to the desktop with the filename @WanaDecryptor@.bmp. The desktop wallpaper is then set to the path of the bitmap and the dialog shown in Figure 6 is then displayed.

When the user clicks on the "Contact us" link, the malware sends the message to the Onion server using the following format:

• <8 bytes from 00000000.res><Host name>\x00<Unknown Byte><User name>\x00***<Tab><Message contents>

Depending on the response from the server, the malware may display a message box with one of the following values:

1. Your message has been sent successfully!
2. Failed to send your message!
   Please make sure that your computer is connected to the Internet and
   your Internet Service Provider (ISP) does not block connections to the TOR Network!
3. You are sending too many mails! Please try again <Integer value> minutes later.

When the user clicks on "Check Payment". The malware first check if the file 00000000.dky is present on the system. If the file is present, it attempts to verify the key by encrypting a file with the key obtained from 00000000.pky and decrypting it with the key obtained from 00000000.dky.

If the file is not present, the malware sends the contents of 00000000.eky to the Onion server. The response from the server is saved to 00000000.dky. If the key cannot be validated, the malware displays a message box with the contents:

You did not pay or we did not confirmed your payment!
Pay now if you didn't and check again after 2 hours.
Best time to check: 9:00am - 11:00am GMT from Monday to Friday.

When the decrypt button is clicked without the ransom being paid, the malware decrypts the files listed in f.wnry. The files listed in f.wnry are those randomly selected to be encrypted with the embedded public key. This process is covered in the Encryption component section above.

Unique Strings

mssecsvc.exe

(MD5: db349b97c37d22f5ea1d1841e3c89eb4)

• SMBr
• PC NETWORK PROGRAM 1.0
• LANMAN1.0
• Windows for Workgroups 3.1a
• LM1.2X002
• LANMAN2.1
• NT LM 0.12
• SMBs
• Windows 2000 2195
• Windows 2000 5.0
• SMBu
• __USERID__PLACEHOLDER__@
• \\172.16.99.5\IPC$
• __TREEID__PLACEHOLDER__
• __USERID__PLACEHOLDER__@
• SMB3
• __TREEID__PLACEHOLDER__
• __USERID__PLACEHOLDER__@
• \t
• h6agLCqPqVyXi2VSQ8O6Yb9ijBX54jY6KM+sz33NmS6TK8XlOk920s0E0aajOV++wrR92ds1FOLBO+evLPj4sIvAjLvaLdgk8+BlNZs8PMa9bQ33+0hNXMjbyjXwB40Q4KiDbip/d7N0CmRT1gLy+n2Rp/EYO5Fkapa4Y4kqDhPvLuOfGUvjN4BNdBk23r0/8cbGhUqHrML0az1LCeE3BqKLCL3gP10fExyMnFGtbq3rBd+5eKxSXYVD4fBKtFYI47YYbjYxxF76O9LNZEpPP9SiCEo9qRYLDcYzGu81JRU7/PJA1t1skDj8abBEOqAOXimo54/eZzGmLJ92xLwDIl8rHuZsUywgeZH/tSPXYQi0Pswy57TYZ/0/P7qyy18UVuiwGaf989u6seK2ER1R+aoJtvES8V0Zsx6slbdWrGxe4P62uwFxXStC/+qpCauvw/qpZvZo9wb458ezftwsbuOUYNlMWgBno/C5cT5tZZvDw9cBmHGcaVuvs+JAbsWoEsUaZd3R3Mn/1c1xYAumA/0VVaASNuohaU+8CmGSpny9/6ngCdejX4X//JeRJeLSP1f2AtrbAR8jSk5UgNllJcWnf+EM/Gyz
• h5DH0RqsyNfEbXNTxRzla1zNfWz0bB4fqzrdNNfNXvtTv9FWqyXCEHLhOz9p7JXzJBBUd0OR9rg8DFXIyNXMHCfeX5v/YjDkYmaBrFWuOKpwLyotORDEi1GMahE7btGFTN2IMgml2b9wZvqSuc7aAciGNkl7+NgmkG9r323QqSJrjCgp+DJ9URAkHRp/sBsr1o2YKlVmsY6mPAOnlmaEwFLrPTm5WIYnd0yOc3abTlt6R1RfwenXgqn5K1K6Uq5o7T+KblzWV1TXo0zTIBD/CwnKbkITPd7GkK+fG//5Oj2ESIrNTwBRdIGzDYcK1VTlSYl0RMsMMZvWqZAhNBs9xfpyBgzAn+5NpIUwKnm6HS2UbNab6SQIQF53r0+Rx8w7xZkOEayDuGvPQ32Y7zfHtj911mdZeLmlXULTazhCdl+lYNd6aoUthPLUew6ng+vSLSxqF1N7+/bFkcWd5vuCPigEKxEg+X3d+JviOJaI9GJ2HWIT8ehFzv6JP7ymkH0XaHYKLPxR8Htcc2E35+8q074yiBdThfaOMI18K65supem5lEgTe2lQdQurhhNhgbmYPpmWsSerB8R4CiDHQg6B1xxN9lpUnCWCn37Ib9vdQ2V90almoOJi/+5PD+F/rT0hmgD1lUoqZ9KfEAB/D3JVZFHKCPtFO1LWNuXu9DHS0cChPvbPTNgL1fuz3hWniAOjJxyXhilxEmUKoCuaHrjL7/mCwA8mUTF8nZfDOYFw/Rqr70SWFUVy18
• SMB3
• __TREEID__PLACEHOLDER__
• __USERID__PLACEHOLDER__@
• userid
• treeid
• __TREEPATH_REPLACE__
• \\%s\IPC$
• Microsoft Base Cryptographic Provider v1.0
• %d.%d.%d.%d
• mssecsvc2.0
• Microsoft Security Center (2.0) Service
• %s -m security
• C:\%s\qeriuwjhrf
• C:\%s\%s
• WINDOWS
• tasksche.exe
• CloseHandle
• WriteFile
• CreateFileA
• CreateProcessA
• 32.dll
• http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

tasksche.exe

(MD5: 84c82835a5d21bbcf75a61706d8ab549)

• .der .pfx .key .crt .csr .p12 .pem .odt .ott .sxw .stw .uot .3ds .max .3dm .ods .ots .sxc .stc .dif .slk .wb2 .odp .otp .sxd .std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .sql .accdb .mdb .db .dbf .odb .frm .myd .myi .ibd .mdf .ldf .sln .suo .cs .c .cpp .pas .h .asm .js .cmd .bat .ps1 .vbs .vb .pl .dip .dch .sch .brd .jsp .php .asp .rb .java .jar .class .sh .mp3 .wav .swf .fla .wmv .mpg .vob .mpeg .asf .avi .mov .mp4 .3gp .mkv .3g2 .flv .wma .mid .m3u .m4u .djvu .svg .ai .psd .nef .tiff .tif .cgm .raw .gif .png .bmp .jpg .jpeg .vcd .iso .backup .zip .rar .7z .gz .tgz .tar .bak .tbk .bz2 .PAQ .ARC .aes .gpg .vmx .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .snt .onetoc2 .dwg .pdf .wk1 .wks .123 .rtf .csv .txt .vsdx .vsd .edb .eml .msg .ost .pst .potm .potx .ppam .ppsx .ppsm .pps .pot .pptm .pptx .ppt .xltm .xltx .xlc .xlm .xlt .xlw .xlsb .xlsm .xlsx .xls .dotx .dotm .dot .docm .docb .docx .doc
• WANACRY!
• %s\\%s
• %s\\Intel
• %s\\ProgramData
• cmd.exe /c \"%s\"
• XIA
• 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
• 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
• 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
• %s%d
• Global\\MsWinZonesCacheCounterMutexA
• tasksche.exe
• TaskStart
• t.wnry
• icacls . /grant Everyone:F /T /C /Q
• attrib +h .
• WNcry@2ol7

Encryptor

(MD5: f351e1fcca0c4ea05fc44d15a17f8b36)

• kgptbeilcq
• TaskStart
• c.wnry
• %s
• del /a %%0
• %d%d.bat
• ConvertSidToStringSidW
• advapi32.dll
• SYSTEM
• S-1-5-18
• EVERYONE
• %s\%d%s
• .WNCRYT
• WANACRY!
• .WNCRY
• .WNCYR
• \\
• @WanaDecryptor@.bmp
• @WanaDecryptor@.exe.lnk
• @Please_Read_Me@.txt
• %s\%s
• ..
• %s\*
• .dll
• .exe
• ~SD
• @WanaDecryptor@.exe
• Content.IE5
• Temporary Internet Files
• This folder protects against ransomware. Modifying it will reduce protection
• \Local Settings\Temp
• \AppData\Local\Temp
• \Program Files (x86)
• \Program Files
• \WINDOWS
• \ProgramData
• \Intel
• $\
• TESTDATA
• %08X.dky
• Global\MsWinZonesCacheCounterMutexA
• Global\MsWinZonesCacheCounterMutexW
• cmd.exe /c reg add %s /v "%s" /t REG_SZ /d "\"%s\"" /f
• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• %s %s
• taskse.exe
• @WanaDecryptor@.exe
• tasksche.exe
• %s\%s\%s
• %s\*.*
• @WanaDecryptor@.exe.lnk
• @echo off
• echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
• echo SET om = ow.CreateShortcut("%s%s")>> m.vbs
• echo om.TargetPath = "%s%s">> m.vbs
• echo om.Save>> m.vbs
• cscript.exe //nologo m.vbs
• del m.vbs
• u.wnry
• %.1f BTC
• $%d worth of bitcoin
• wb
• r.wnry
• b.wnry
• attrib +h +s %C:\%s
• $RECYCLE
• %C:\%s
• $RECYCLE
• %s\hibsys%s
• taskdl.exe
• f.wnry
• cmd.exe /c start /b %s vs
• %s co
• taskkill.exe /f /im mysqld.exe
• taskkill.exe /f /im sqlwriter.exe
• taskkill.exe /f /im sqlserver.exe
• taskkill.exe /f /im MSExchange*
• taskkill.exe /f /im Microsoft.Exchange.*
• %s fi
• %08X.eky
• %08X.pky
• %08X.res

Decryptor

(MD5: 7bf2b57f2a205768755c07f238fb32cc)

• Connecting to server...
• s.wnry
• %08X.eky
• %08X.res
• 00000000.res
• %08X.dky
• %08X.pky
• Connected
• Sent request
• Succeed
• Received response
• Congratulations! Your payment has been checked!
• Start decrypting now!
• Failed to check your payment!
• Please make sure that your computer is connected to the Internet and
• your Internet Service Provider (ISP) does not block connections to the TOR Network!
• You did not pay or we did not confirmed your payment!
• Pay now if you didn't and check again after 2 hours.
• Best time to check: 9:00am - 11:00am GMT from Monday to Friday.
• You have a new message:
• c.wnry
• runas
• WanaCrypt0r
• Software\
• %04d-%02d-%02d %02d:%02d:%02d
• WANACRY!
• .org
• .WNCYR
• .WNCRY
• @WanaDecryptor@.bmp
• @WanaDecryptor@.exe.lnk
• @Please_Read_Me@.txt
• %s\%s
• ..
• %s\*
• Content.IE5
• Temporary Internet Files
• This folder protects against ransomware. Modifying it will reduce protection
• \Local Settings\Temp
• ppData\Local\Temp
• \Program Files (x86)
• \Program Files
• \WINDOWS
• \ProgramData
• \Intel
• Please select a host to decrypt.
• All your files have been decrypted!
• Pay now, if you want to decrypt ALL your files!
• f.wnry
• My Computer
• *.res
• open
• mailto:
• Wana Decrypt0r 2.0
• %s %s
• cmd.exe
• /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
• 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
• English
• m_%s.wnry
• msg\
• <https://
• <http://
• %d/%d/%d %02d:%02d:%02d
• 00;00;00;00
• http://www.btcfrog.com/qr/bitcoinPNG.php?address=%s
• mailto:%s
• https://www.google.com/search?q=how+to+buy+bitcoin
• https://en.wikipedia.org/wiki/Bitcoin
• Send %.1f BTC to this address:
• %.1f BTC
• Send $%d worth of bitcoin to this address:
• %02d;%02d;%02d;%02d
• b.wnry
• ---    %s    %s    %d    %I64d    %d
• Failed to send your message!
• Please make sure that your computer is connected to the Internet and
• your Internet Service Provider (ISP) does not block connections to the TOR Network!
• Your message has been sent successfully!
• You are sending too many mails! Please try again %d minutes later.
• Too short message!
• %d%%
• %s\%s
• tor.exe
• %s\%s\%s
• TaskData
• taskhsvc.exe
• 127.0.0.1

Appendix A

Observed Killswitch Domains

The following table contains observed killswitch domains and their associated sample hash.

Appendix B

Yara Rules

FireEye has developed the following Yara rules for WannaCry detection: