{
	"id": "1a6e324d-2a68-4811-8f3a-7a2f6e471312",
	"created_at": "2026-04-06T00:11:18.792416Z",
	"updated_at": "2026-04-10T03:26:53.169402Z",
	"deleted_at": null,
	"sha1_hash": "9c005f694e8038d2a71a373bb23be0fa85cb8410",
	"title": "WannaCry Malware Profile | Mandiant",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 774348,
	"plain_text": "WannaCry Malware Profile | Mandiant\r\nBy Mandiant\r\nPublished: 2017-05-23 · Archived: 2026-04-05 14:17:26 UTC\r\nWritten by: Alex Berry, Josh Homan, Randi Eitzman\r\nWannaCry (also known as WCry or WanaCryptor) malware is a self-propagating (worm-like) ransomware that spreads\r\nthrough internal networks and over the public internet by exploiting a vulnerability in Microsoft’s Server Message Block\r\n(SMB) protocol, MS17-010. The WannaCry malware consists of two distinct components, one that provides ransomware\r\nfunctionality and a component used for propagation, which contains functionality to enable SMB exploitation capabilities.\r\nThe malware leverages an exploit, codenamed “EternalBlue”, that was released by the Shadow Brokers on April 14, 2017.\r\nThe malware appends encrypted data files with the .WCRY extension, drops and executes a decryptor tool, and demands\r\n$300 or $600 USD (via Bitcoin) to decrypt the data.\r\nThe malware uses encrypted Tor channels for command and control (C2) communications.\r\nFile Characteristics\r\nFilename MD5 Hash\r\nSize\r\n(bytes)\r\nCompile\r\nTime\r\nDescription Filetype\r\nmssecsvc.exe db349b97c37d22f5ea1d1841e3c89eb4 3723264\r\n2010-11-\r\n20T09:03:08Z\r\nLoader +\r\nWorm\r\nComponent\r\nEXE\r\ntasksche.exe 84c82835a5d21bbcf75a61706d8ab549 3514368\r\n2010-11-\r\n20T09:05:05Z\r\nLoader EXE\r\nUnavailable f351e1fcca0c4ea05fc44d15a17f8b36 65536\r\n2009-07-14\r\n01:12:55Z\r\nEncryptor DLL\r\n@WanaDecryptor@.exe 7bf2b57f2a205768755c07f238fb32cc 245760\r\n2009-07-13\r\n23:19:35Z\r\nDecryptor EXE\r\nTable 1: File characteristics\r\nPersistence Mechanism\r\nThe malware creates the following two registry run keys to ensure persistence:\r\nKey: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\u003cRandom\u003e\r\nValue: \u003cFull_path\u003e\\tasksche.exe\r\nKey: HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\u003cRandom\u003e\r\nValue: \u003cFull_path\u003e\\tasksche.exe\r\nThe malware creates the following service to ensure persistence of mssecsvc.exe:\r\nServiceName: mssecsvc2.0\r\nDisplayName: Microsoft Security Center (2.0) Service\r\nBinaryPath: \u003cpath to mssecsvc\u003e -m security\r\nThe malware creates the following service to ensure persistence of tasksche.exe\r\nServiceName: \u003c8-15lower\u003e\u003c3number\u003e\r\nDisplayName: \u003cSame as Service Name\u003e\r\nBinaryPath \u003cpath to tashsche.exe\u003e\r\nHost-Based Signatures\r\nFile System Artifacts\r\nChecksum\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 1 of 22\n\nActual: 0x00018AF7\r\nHeader: 0x00000000\r\nDropped Files\r\nLoader Files\r\nName: tasksche.exe\r\nPath: C:\\WINDOWS\\\r\nPath: \u003csystem_drive\u003e\\ProgamData\\\u003csys_id\u003e\r\nPath: \u003csystem_drive\u003e\\Intel\\\u003csys_id\u003e\r\nMD5: 84c82835a5d21bbcf75a61706d8ab549\r\nName: qeriuwjhrf\r\nPath: C:\\WINDOWS\\\r\nName: m_bulgarian.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 95673b0f968c0f55b32204361940d184\r\nName: m_chinese (simplified).wnry\r\nPath: %CD%\\msg\\\r\nMD5: 0252d45ca21c8e43c9742285c48e91ad\r\nName: m_chinese (traditional).wnry\r\nPath: %CD%\\msg\\\r\nMD5: 2efc3690d67cd073a9406a25005f7cea\r\nName: m_croatian.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 17194003fa70ce477326ce2f6deeb270\r\nName: m_czech.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 537efeecdfa94cc421e58fd82a58ba9e\r\nName: m_danish.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 2c5a3b81d5c4715b7bea01033367fcb5\r\nName: m_dutch.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 7a8d499407c6a647c03c4471a67eaad7\r\nName: m_english.wnry\r\nPath: %CD%\\msg\\\r\nMD5: fe68c2dc0d2419b38f44d83f2fcf232e\r\nName: m_filipino.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 08b9e69b57e4c9b966664f8e1c27ab09\r\nName: m_finnish.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 35c2f97eea8819b1caebd23fee732d8f\r\nName: m_french.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 4e57113a6bf6b88fdd32782a4a381274\r\nName: m_german.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 3d59bbb5553fe03a89f817819540f469\r\nName: m_greek.wnry\r\nPath: %CD%\\msg\\\r\nMD5: fb4e8718fea95bb7479727fde80cb424\r\nName: m_indonesian.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 3788f91c694dfc48e12417ce93356b0f\r\nName: m_italian.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 30a200f78498990095b36f574b6e8690\r\nName: m_japanese.wnry\r\nPath: %CD%\\msg\\\r\nMD5: b77e1221f7ecd0b5d696cb66cda1609e\r\nName: m_korean.wnry\r\nPath: %CD%\\msg\\\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 2 of 22\n\nMD5: 6735cb43fe44832b061eeb3f5956b099\r\nName: m_latvian.wnry\r\nPath: %CD%\\msg\\\r\nMD5: c33afb4ecc04ee1bcc6975bea49abe40\r\nName: m_norwegian.wnry\r\nPath: %CD%\\msg\\\r\nMD5: ff70cc7c00951084175d12128ce02399\r\nName: m_polish.wnry\r\nPath: %CD%\\msg\\\r\nMD5: e79d7f2833a9c2e2553c7fe04a1b63f4\r\nName: m_portuguese.wnry\r\nPath: %CD%\\msg\\\r\nMD5: fa948f7d8dfb21ceddd6794f2d56b44f\r\nName: m_romanian.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 313e0ececd24f4fa1504118a11bc7986\r\nName: m_russian.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 452615db2336d60af7e2057481e4cab5\r\nName: m_slovak.wnry\r\nPath: %CD%\\msg\\\r\nMD5: c911aba4ab1da6c28cf86338ab2ab6cc\r\nName: m_spanish.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 8d61648d34cba8ae9d1e2a219019add1\r\nName: m_swedish.wnry\r\nPath: %CD%\\msg\\\r\nMD5: c7a19984eb9f37198652eaf2fd1ee25c\r\nName: m_turkish.wnry\r\nPath: %CD%\\msg\\\r\nMD5: 531ba6b1a5460fc9446946f91cc8c94b\r\nName: m_vietnamese.wnr\r\nPath: %CD%\\msg\\\r\nMD5: 8419be28a0dcec3f55823620922b00fa\r\nName: t.wnry\r\nPath: %CD%\r\nMD5: 5dcaac857e695a65f5c3ef1441a73a8f\r\nDescription: Encrypted Encryption Tool\r\nName: taskdl.exe\r\nPath: %CD%\r\nMD5: 4fef5e34143e646dbf9907c4374276f5\r\nDescription: Support tool for removing temporary files\r\nName: taskse.exe\r\nPath: %CD%\r\nMD5: 8495400f199ac77853c53b5a3f278f3e\r\nDescription: Support tool for launch Decryption Tool\r\nName: u.wnry\r\nPath: %CD%\r\nMD5: 7bf2b57f2a205768755c07f238fb32cc\r\nDescription: Decryption Tool\r\nFile: b.wnry\r\nPath: %CD%\r\nMD5: c17170262312f3be7027bc2ca825bf0c\r\nDescription: Ransom Image (BMP)\r\nName: c.wnry\r\nPath: %CD%\r\nMD5: ae08f79a0d800b82fcbe1b43cdbdbefc\r\nDescription: Config Data\r\nEncryptor Files\r\n00000000.res\r\n00000000.pky\r\n00000000.eky\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 3 of 22\n\n00000000.dky\r\nDecryptor Files\r\nc.wnry\r\nFile: taskhsvc.exe\r\nPath: TaskData\\Tor\\\r\nThe following artifact can be found on remotely exploited systems:\r\nName: mssecsvc.exe\r\nPath: C:\\WINDOWS\\\r\nMD5: db349b97c37d22f5ea1d1841e3c89eb4\r\nDescription: Dropper + worm component\r\nRegistry Artifacts\r\nServiceName: mssecsvc2.0\r\nDisplayName: Microsoft Security Center (2.0) Service\r\nBinaryPath: \u003cGetModuleFileName\u003e -m security\r\nHKLM\\Software\\WanaCrypt0r\\wd\r\nHKCU\\Software\\WanaCrypt0r\\wd\r\nExports\r\n0x00005AE0 TaskStart\r\nMutex\r\nMsWinZonesCacheCounterMutexA\r\nProcess Arguments\r\nicacls . /grant Everyone:F /T /C /Q\r\nattrib +h +s \u003cDrive_Letter\u003e:\\$RECYCLE\r\ntaskkill.exe /f /im Microsoft.Exchange.\\*\r\ntaskkill.exe /f /im MSExchange\\*\r\ntaskkill.exe /f /im sqlserver.exe\r\ntaskkill.exe /f /im sqlwriter.exe\r\ntaskkill.exe /f /im mysqld.exe\r\ncmd.exe /c start /b @WanaDecryptor@.exe vs\r\ncmd.exe /c vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete \u0026 bcdedit /set {default} bootstatuspolicy\r\nignoreallfailures \u0026 bcdedit /set {default} recoveryenabled no \u0026 wbadmin delete catalog -q\r\n-m security\r\ncmd /c \u003c15 digits\u003e.bat\r\ncscript.exe //nologo \u003c1 character\u003e.vbs\r\nNetwork-Based Signatures\r\nDNS\r\nwww.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (sinkholed)\r\nConnections\r\n\u003crandom_ip\u003e:445\r\n\u003csubnet_ip\u003e:445\r\nWannaCry Analysis\r\nStartup\r\nThe malware starts by attempting to connect to the following domain with InternetOpenUrl:\r\nwww.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\r\nNOTE: If this succeeds, the malware immediately exits. For a list of observed killswitch domains, see Appendix A.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 4 of 22\n\nIf the connection fails, however, the malware checks the number of arguments passed to the program. If zero, the malware\r\ncontinues with installation; otherwise it enters service mode.\r\nNote: Network proxies and other enterprise network security features may prevent the malware from contacting its\r\nkillswitch domain and inadvertently trigger encryption. Organizations may wish to adjust their proxy configurations or other\r\nnetwork configurations to avoid this problem.\r\nService Mode\r\nIn service mode, the malware first updates the service config so that failure actions occur if the service exits without\r\nentering a SERVICE_STOPPED state. The malware then executes the service function, which registers the service handlers\r\nand attempts exploitation of MS17-010 against identified SMB services. This allows remote code execution and enables\r\nspreading across the network. This execution is performed in a thread, and the service exits after 24 hours regardless of the\r\nstatus of the thread.\r\nThe spreader begins by setting up the Windows socket APIs and generating a RSA crypto context. This crypto context is\r\nlater used to generate random numbers. The malware then builds two DLLs in memory – they are 32 and 64-bit DLLs that\r\nhave identical functionality. Each one contains a single export named PlayGame that loads the W resource, writes it to\r\nC:\\WINDOWS\\mssecsvc.exe, and executes it. The W resource in each case has been populated with a copy of the running\r\nbinary (MD5: db349b97c37d22f5ea1d1841e3c89eb4).\r\nThe malware continues by spawning two threads, the first thread enumerates the network adapters and determines which\r\nsubnets the system is on. The malware then generates a thread for each IP on the subnet. Each of these threads attempts to\r\nconnect to the IP on port 445 and, if successful, attempts exploitation of the service via a vulnerability described in MS17-\r\n010. An example of an attempt to exploit MS17-010 on a remote system can be seen in Figure 1.\r\nFigure 1: WannaCry network traffic attempting SMB exploit\r\nOne of the unique features of this traffic is an SMB Tree Connect AndX Request containing the following UNICODE string:\r\n\\\\192.168.56.20\\IPC$\r\nThis packet is hand-crafted and hard-coded into the malware.\r\nThe second thread generates random IPs and attempts to connect to them on port 445. If the connection is successful, the\r\nmalware then attempts to perform the SMB attack on the system. 128 instances of the second thread area created with two\r\nseconds separating each thread creations.\r\nInstallation\r\nThe malware continues by creating a service named mssecsvc2.0 with a binary path pointing to the running module with the\r\narguments \"-m security\". Once created, the malware starts the service. The malware then locates its R resource and loads it\r\ninto memory. The malware then writes the R resource data to the file C:\\WINDOWS\\tasksche.exe. The malware executes\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 5 of 22\n\nC:\\WINDOWS\\tasksche.exe /i with the CreateProcess API. The malware then attempts to move C:\\WINDOWS\\tasksche.exe\r\nto C:\\WINDOWS\\qeriuwjhrf, replacing the original file if it exists.\r\nThe malware begins by generating a unique identifier based on the computer name. The identifier, \u003csys_id\u003e, has the form of\r\n8-15 random lowercase characters followed by 3 numbers. The malware then checks to see if it was passed the /i argument.\r\nRun with /i Command\r\nThe /i command copies the running binary to \u003csystem_drive\u003e\\ProgamData\\\u003csys_id\u003e\\tasksche.exe if\r\n\u003csystem_drive\u003e\\ProgamData exists, otherwise it will be copied to \u003csystem_drive\u003e\\Intel\\\u003csys_id\u003e\\tasksche.exe.\r\n\u003csystem_drive\u003eis the drive letter on which Windows was installed (C:\\ for C:\\Windows). The malware then updates its\r\ncurrent directory to the created directory.\r\nThe malware then attempts to open the service named \u003csys_id\u003e. If it does not exist, the malware creates it with a\r\nDisplayName of \u003csys_id\u003e and a BinaryPath of cmd /c \u003cpath_to_copied tasksche.exe\u003e. The malware then starts the service.\r\nThe malware attempts to open the mutex Global\\MsWinZonesCacheCounterMutexA0. If the mutex is not created within 60\r\nseconds, the malware re-launches itself from the new installation directory with no arguments. The malware then waits 60\r\nseconds for the mutex to be created. If the mutex is created in either instance, the initial executable exits. If the mutex fails\r\nto be created, the malware continues as if it was run without the /i argument.\r\nRun without /i Command\r\nThe malware updates %CD% to the path of the running module and sets HKLM\\Software\\WanaCrypt0r\\wd to %CD%. The\r\nmalware then loads the XIA resource and decompresses numerous files (see Table 3) to %CD%. The malware then opens\r\n%CD%\\c.wnry (the configuration data) and loads it into memory. It expects the file to be of size 0x30C. The malware then\r\nchooses randomly between the three strings 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94,\r\n12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw, and 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn; writes it to offset 0xB2 in\r\nthe configuration file; and writes the updated configuration data back to %CD%\\c.wnry.\r\nThe malware then sets the hidden attribute for %CD% by executing the following command with CreateProcess:\r\nattrib +h\r\nThe malware then executes the following command – granting all users permissions to %CD% and all of its subdirectories:\r\nicacls . /grant Everyone:F /T /C /Q\r\nThe malware then imports the hard-coded RSA Private key, shown in Figure 2.\r\nFigure 2: Imported private key\r\nThe malware then opens and reads %CD%\\t.wnry. The first 8 bytes of the file are checked to match the magic value\r\nWANACRY!. The file has the following structure:\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 6 of 22\n\nThe encrypted key decrypts to the 128-bit AES key BEE19B98D2E5B12211CE211EECB13DE6. This key can then be used\r\nto decrypt the enc_data. The decrypted data is saved as a DLL (MD5: f351e1fcca0c4ea05fc44d15a17f8b36). This DLL is\r\nthen manually loaded into memory and the TaskStart export is called. The TaskStart export of the decrypted DLL is the\r\nencryption component of the ransomware.\r\nXIA Resource Contents\r\nThe files shown in Table 2 are extracted from the XIA resource. They are dropped into the %CD% of the running malware.\r\nFilename MD5 Hash Description\r\nr.wnry 3e0020fc529b1c2a061016dd2469ba96 Text ransom note\r\ns.wnry ad4c9de7c8c40813f200ba1c2fa33083 Zip file containing Tor files\r\nt.wnry 5dcaac857e695a65f5c3ef1441a73a8f Encrypted encryption tool\r\ntaskdl.exe 4fef5e34143e646dbf9907c4374276f5 *.WNCRYT file deletion tool\r\ntaskse.exe 8495400f199ac77853c53b5a3f278f3e Utility used to launch decryption tool\r\nu.wnry 7bf2b57f2a205768755c07f238fb32cc Decryption tool\r\nb.wnry c17170262312f3be7027bc2ca825bf0c Ransom image (BMP)\r\nc.wnry ae08f79a0d800b82fcbe1b43cdbdbefc Configuration data\r\nTable 2: XIA extracted resources\r\nTable 3 shows RTF documents containing the ransom note in various languages.\r\nFilename MD5 Hash\r\nm_bulgarian.wnry 95673b0f968c0f55b32204361940d184\r\nm_chinese (simplified).wnry 0252d45ca21c8e43c9742285c48e91ad\r\nm_chinese (traditional).wnry 2efc3690d67cd073a9406a25005f7cea\r\nm_croatian.wnry 17194003fa70ce477326ce2f6deeb270\r\nm_czech.wnry 537efeecdfa94cc421e58fd82a58ba9e\r\nm_danish.wnry 2c5a3b81d5c4715b7bea01033367fcb5\r\nm_dutch.wnry 7a8d499407c6a647c03c4471a67eaad7\r\nm_english.wnry fe68c2dc0d2419b38f44d83f2fcf232e\r\nm_filipino.wnry 08b9e69b57e4c9b966664f8e1c27ab09\r\nm_finnish.wnry 35c2f97eea8819b1caebd23fee732d8f\r\nm_french.wnry 4e57113a6bf6b88fdd32782a4a381274\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 7 of 22\n\nm_german.wnry 3d59bbb5553fe03a89f817819540f469\r\nm_greek.wnry fb4e8718fea95bb7479727fde80cb424\r\nm_indonesian.wnry 3788f91c694dfc48e12417ce93356b0f\r\nm_italian.wnry 30a200f78498990095b36f574b6e8690\r\nm_japanese.wnry b77e1221f7ecd0b5d696cb66cda1609e\r\nm_korean.wnry 6735cb43fe44832b061eeb3f5956b099\r\nm_latvian.wnry c33afb4ecc04ee1bcc6975bea49abe40\r\nm_norwegian.wnry ff70cc7c00951084175d12128ce02399\r\nm_polish.wnry e79d7f2833a9c2e2553c7fe04a1b63f4\r\nm_portuguese.wnry fa948f7d8dfb21ceddd6794f2d56b44f\r\nm_romanian.wnry 313e0ececd24f4fa1504118a11bc7986\r\nm_russian.wnry 452615db2336d60af7e2057481e4cab5\r\nm_slovak.wnry c911aba4ab1da6c28cf86338ab2ab6cc\r\nm_spanish.wnry 8d61648d34cba8ae9d1e2a219019add1\r\nm_swedish.wnry c7a19984eb9f37198652eaf2fd1ee25c\r\nm_turkish.wnry 531ba6b1a5460fc9446946f91cc8c94b\r\nm_vietnamese.wnry 8419be28a0dcec3f55823620922b00fa\r\nTable 3: Ransom notes in various languages\r\nEncryption Component\r\nThe TaskStart export takes two arguments; the handle to the module and an integer that must be zero. TaskStart first creates\r\na mutex named \"MsWinZonesCacheCounterMutexA\" and reads the contents of c.wnry from the current directory. If the\r\nmutex exists or c.wnry is not present, the malware exits. The malware creates another mutex named\r\n\"Global\\MsWinZonesCacheCounterMutexA0\".\r\nThe malware then loads and verifies a key from the file 00000000.dky. The malware then attempts to load a key\r\n00000000.pky. If the key does not exist, the malware imports a public RSA key (seen in Figure 3), generates a new 2048-bit\r\nRSA key and saves the public key to 00000000.pky. The malware then saves the generated private key to 00000000.eky,\r\nencrypted with the embedded public key.\r\nThe 00000000.eky starts with the number of bytes in little endian (0x500) followed by the encrypted key.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 8 of 22\n\nThe malware launches a thread that writes 136 bytes to 00000000.res every 25 seconds. The buffer written includes the\r\ncurrent time of the system. If the file 00000000.res does not exist while the malware is initializing, it creates the file. The\r\ninitial contents begins with eight randomly generated bytes followed by 128 zero bytes.\r\nThe malware launches another thread that verifies it can encrypt and decrypt using the keys contained in 00000000.dky and\r\n00000000.pky every 25 seconds. If the decryption is successful, the malware sets a global flag that stops the encryption\r\nprocess.\r\nThe malware launches another thread that scans for new drives attached to the system every three seconds. If a new drive is\r\nattached to the system and is not identified as a type CDROM drive, the malware begins the encryption process on the new\r\ndrive. On new drives attached to the system, the malware may create the directory \u003cDrive_letter\u003e:\\$RECYCLE and execute\r\nthe following command:\r\nattrib +h +s \u003cDrive_Letter\u003e:\\$RECYCLE\r\nThe malware creates a thread that executes the process taskdl.exe every 30 seconds.\r\nand creates another thread that executes either of the following two binaries (depending on administrator permissions and if\r\nthe malware is running at system level):\r\n@WanaDecryptor@.exe\r\ntaskse.exe \u003cFull_Path\u003e\\@WanaDecryptor@.exe\r\nA registry key name starting with 8 to 15 characters between 'a' and 'z' followed by three random values between '0' and '9' is\r\nthen generated by the malware. It may then create the following registry paths with the generated key name:\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\u003cKey\u003e\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\\u003cKey\u003e\r\nTo create the registry key, the malware executes the following command:\r\ncmd.exe /c reg add \u003cRegistry_Ru_Path\u003e /v \"\u003cRandom\u003e\" /t REG_SZ /d \"\\\"\u003cFull_Path\u003e\\tasksche.exe\\\"\" /f\r\nUser File Encryption\r\nThe malware loads another embedded RSA public key shown in Figure 4.\r\nFigure 4: Additional embedded RSA public key\r\nThe malware executes the file @WanaDecryptor@.exe with the argument \"fi\". This appears to be an initial check-in with the\r\nserver and the response may contain an updated bitcoin address. The malware updates c.wnry with the current time at offset\r\n0x60.\r\nThe malware then copies u.wrny to @WanaDecryptor@.exe and executes the script shown in Figure 5 to create\r\n@WanaDecryptor@.exe.lnk. The script is saved to a randomly generated filename based on the current time and a random\r\nvalue using characters from '0' to '9'. Example filename: \"188391494652743.bat\".\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 9 of 22\n\nFigure 5: WannaCry internal script for moving and deleting files\r\nThe malware then writes either \"$\u003cValue\u003eworth of bitcoin\" or \"%.\u003cValue\u003e BTC\" depending on the configuration – followed\r\nby the contents of the file r.wnry to @Please_Read_Me@.txt, which reads as follows:\r\nQ: What's wrong with my files?\r\nA: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are\r\ndecrypted.   \r\nIf you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!   \r\nLet's start decrypting!\r\nQ: What do I do?\r\nA: First, you need to pay service fees for the decryption.   \r\nPlease send \u003cRansom Amount\u003e to this bitcoin address: \u003cBitcoin_address\u003e\r\nNext, please find an application file named \"@WanaDecryptor@.exe\". It is the decrypt software.\r\n  Run and follow the instructions! (You may need to disable your antivirus for a while.)\r\nQ: How can I trust?\r\nA: Don't worry about decryption.   \r\nWe will decrypt your files surely because nobody will trust us if we cheat users.\r\n*   If you need our assistance, send a message by clicking \u003cContact Us\u003e on the decryptor window.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 10 of 22\n\nFigure 6: Encryption warning displayed to user\r\nThe malware then targets files on the user's desktop and documents folders. When the malware starts scanning a directory it\r\ncreates a temporary file with the prefix \"~SD\", and deletes it if successful.\r\nWhen selecting which files to encrypt, the malware skips over files with .exe, .dll, and .wncry extensions. The files with the\r\nextensions shown in Figure 7 are selected for encryption. Files larger than 209,715,200 bytes may also be encrypted.\r\nFigure 7: Files targeted for encryption\r\nThe malware may ignore folders with the following names:\r\n\\\\\r\n$\\\r\nIntel\r\nProgramData\r\nWINDOWS\r\nProgram Files\r\nProgram Files (x86)\r\nAppData\\Local\\Temp\r\nLocal Settings\\Temp\r\nTemporary Internet Files\r\nContent.IE5\r\nThe malware will also compare folder names with the following string, and avoid encryption if identified:\r\n\" This folder protects against ransomware. Modifying it will reduce protection\"\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 11 of 22\n\nNote: The string contains a leading whitespace. This particular check is likely included for testing/development purposes.\r\nWhen a directory contains a file that will be encrypted, the malware\r\ncopies @Please_Read_Me@.txt and @WanaDecryptor@.exe to the directory. It verifies that the first eight bytes do not\r\ncontain the string WANACRY! and performs additional checks on the header to verify the file is not already encrypted.\r\nThe files are encrypted with a randomly generated 128-bit AES key in CBC mode with a NULL initialization vector. The\r\nkey is generated per file, is encrypted with the generated RSA public key, and included in the encrypted file header. Each file\r\nencrypted by the malware starts with the string WANACRY! and has the WNCRY extension. Depending on the file properties,\r\nthe malware may also stage files in a WNCRYT extension.\r\nTable 4 shows the file format of encrypted files.\r\nOffset Value\r\n0x0000 WANACRY!\r\n0x0008 Length of RSA encrypted data\r\n0x000C RSA encrypted AES file encryption key\r\n0x010C File type internal to WannaCry\r\n0x0110 Original file size\r\n0x0118 Encrypted file contents  (AES-128 CBC)\r\nTable 4: Encrypted file format\r\nWhen encrypting the AES key with RSA, the malware may use the embedded RSA key or a key randomly generated. If the\r\nfile f.wnry does not exist during initialization, the malware generates a random number if the file size is less than\r\n209,715,200 bytes. If the number is a multiple of 100, the malware uses the embedded RSA key to encrypt the AES key. A\r\nmaximum of ten files can be encrypted with this key. When an AES key is encrypted with this RSA key, the malware writes\r\nthe file path to the file f.wnry. If the random number is not a multiple of 100 or the file f.wnry already exists on the system,\r\nthe malware will encrypt the AES key with the randomly generated RSA key.\r\nOnce the malware completes encrypting the desktop and documents folders, it executes the following commands:\r\ntaskkill.exe /f /im Microsoft.Exchange.\\*\r\ntaskkill.exe /f /im MSExchange\\*\r\ntaskkill.exe /f /im sqlserver.exe\r\ntaskkill.exe /f /im sqlwriter.exe\r\ntaskkill.exe /f /im mysqld.exe\r\nThe malware then encrypts files found on logical drives attached to the system that are not type DRIVE_CDROM.\r\nThe malware may execute the command:\r\n@WanaDecryptor@.exe co\r\nThe malware executes the command:\r\ncmd.exe /c start /b @WanaDecryptor@.exe vs\r\nThe malware will copy b.wnry to @WanaDecryptor@.bmp and place it in each user’s desktop folder, as well as a copy\r\nof @WanaDecryptor@.exe.\r\nDecryptor Component\r\nThe malware communicates with an Onion server using a Tor server running on local host TCP port 9050. The malware\r\nregisters the system with the Onion server, transferring encryption keys and deleting volume shadows. Once the ransom is\r\npaid, the malware obtains the decrypted RSA private key from the Onion server and decrypts ransomed files.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 12 of 22\n\nIt first attempts to read the contents of the registry path HKLM\\Software\\WanaCrypt0r\\wd. If this fails, the malware\r\nattempts to read the contents from a similar registry path within the HKCU registry hive. If one of the registry paths exists,\r\nthe malware sets the current directory to value read from the registry.\r\nThe malware attempts to open c.wnry from the current directory and read 780 bytes if it exists. If the file does not exist, the\r\nfile is created with the contents shown in Figure 8.\r\nFigure 8: Contents of c.wnry\r\nThe value at offset 0x6c (0x59140342) in c.wnry is the timestamp the file was created. The remaining values are hardcoded\r\nwithin the binary.\r\nAccepted Commands\r\nThe decryptor component accepts the command line arguments shown in Table 5.\r\nArgument Description\r\nfi\r\nConnects to an Onion server sending details from the system including the host name, user name and\r\neight bytes from 00000000.res. The response may include a Bitcoin address that is updated in c.wnry.\r\nco Appears to be an initial check-in with the ransom server without displaying the ransom interface.\r\nvs Deletes volume shadow copies using the vssadmin utility.\r\nTable 5: Accepted commands\r\nfi Argument\r\nThe malware reads 136 bytes from the file \"00000000.res\" in the current path. If the file does not exist the malware exits.\r\nThe malware reads two URLs from c.wnry at offsets 0x242 and 0x1DE.\r\nThe first URL at offset 0x1DE in c.wnry is:\r\nhttps://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip\r\nThe alternate URL at offset 0x242 is not configured.\r\nThe malware then binds a TCP socket to the localhost (127.0.0.1) and connects to port 9050 on the localhost.\r\nThe malware then checks if the path \"TaskData\\Tor\\taskhsvc.exe\" exists. If the file does not exist it is extracted from the\r\narchive s.wnry. If s.wnry does not exist, the malware downloads the first URL in the configuration – and if this fails it\r\nattempts the second.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 13 of 22\n\nWhen downloading from a URL, the downloaded file is first saved to a filename generated with GetTempFileNameA with a\r\n\"t\" prefix within the TaskData folder. The downloaded file is a Zip archive that is extracted to the \"TaskData\" folder.\r\nOnce extracted, the malware copies \"TaskData\\Tor\\tor.exe\" to \"TaskData\\Tor\\taskhsvc.exe\" and executes it.\r\nThe malware parses the string obtained at offset 0xE4 in the configuration file c.wnry for Onion servers to connect to. The\r\nOnion servers listed in the configuration file are as follows:\r\ngx7ekbenv2riucmf.onion\r\n57g7spgrzlojinas.onion\r\nxxlvbrloxvriy2c5.onion\r\n76jdd2ir2embyv47.onion\r\ncwwnhwhlz52maqm7.onion\r\nThe malware sends the first eight bytes of the file 00000000.res, the host name, user name and the string \"+++\" to the Onion\r\nserver. The command and control protocol appears to be custom and XOR encoded with a randomly generated buffer.\r\nThe response from the server is added to c.wnry if the string is 30 to 50 characters in length. The following is an example\r\nmessage sent to the server:\r\n\u003c8 bytes from 00000000.res\u003e\u003cHost name\u003e\\x00\u003cUnknown Byte\u003e\u003cUser name\u003e\\x00+++\r\nco Argument\r\nThis argument the malware scans for file names in the format \u003c8_Uppercase_Hex\u003e.res. The file the malware is likely\r\nlooking for is 00000000.res that is created by the encryption DLL.  The malware then generates a C2 message containing\r\nfour values (Table 6) obtained from the \".res\" file in the following format:\r\n--- \u003cTime0\u003e \u003cTime1\u003e \u003cUnknown_int0\u003e \u003cUnknown_long\u003e \u003cIndex\u003e\r\nNote: In the aforementioned example, the values are separated with a TAB character.\r\nValue Description\r\n--- Hard-coded string likely intended to identify the command\r\nTime0 Time value obtained from offset 0x60\r\nTime1 Time value obtained from offset 0x78\r\nUnknown int0 Integer obtained from offset 0x7C\r\nUnknown long 64-bit Integer obtained from offset 0x80\r\nIndex Count of the current file when scanning for files in the format \u003c8_Uppercase_Hex\u003e.res\r\nTable 6: C2 message values \r\nFigure 9 shows an example of a message.\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 14 of 22\n\nFigure 9: Sample C2 message\r\nAfter sending the message, the malware exits.\r\nvs Argument\r\nThe malware sleeps for 10 seconds and then executes the following command using CreateProcess or RunAs (depending on\r\ngroup membership):\r\ncmd.exe /c vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete \u0026 bcdedit /set {default} bootstatuspolicy\r\nignoreallfailures \u0026 bcdedit /set {default} recoveryenabled no \u0026 wbadmin delete catalog -q\r\nNo Argument\r\nThe malware copies b.wnry from the current directory to the desktop with the filename @WanaDecryptor@.bmp. The\r\ndesktop wallpaper is then set to the path of the bitmap and the dialog shown in Figure 6 is then displayed.\r\nWhen the user clicks on the \"Contact us\" link, the malware sends the message to the Onion server using the following\r\nformat:\r\n\u003c8 bytes from 00000000.res\u003e\u003cHost name\u003e\\x00\u003cUnknown Byte\u003e\u003cUser name\u003e\\x00***\u003cTab\u003e\u003cMessage contents\u003e\r\nDepending on the response from the server, the malware may display a message box with one of the following values:\r\n1. Your message has been sent successfully!\r\n2. Failed to send your message!\r\nPlease make sure that your computer is connected to the Internet and\r\nyour Internet Service Provider (ISP) does not block connections to the TOR Network!\r\n3. You are sending too many mails! Please try again \u003cInteger value\u003e minutes later.\r\nWhen the user clicks on \"Check Payment\". The malware first check if the file 00000000.dky is present on the system. If the\r\nfile is present, it attempts to verify the key by encrypting a file with the key obtained from 00000000.pky and decrypting it\r\nwith the key obtained from 00000000.dky.\r\nIf the file is not present, the malware sends the contents of 00000000.eky to the Onion server. The response from the server\r\nis saved to 00000000.dky. If the key cannot be validated, the malware displays a message box with the contents:\r\nYou did not pay or we did not confirmed your payment!\r\nPay now if you didn't and check again after 2 hours.\r\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.\r\nWhen the decrypt button is clicked without the ransom being paid, the malware decrypts the files listed in f.wnry. The files\r\nlisted in f.wnry are those randomly selected to be encrypted with the embedded public key. This process is covered in the\r\nEncryption component section above.\r\nUnique Strings\r\nmssecsvc.exe\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 15 of 22\n\n(MD5: db349b97c37d22f5ea1d1841e3c89eb4)\r\nSMBr\r\nPC NETWORK PROGRAM 1.0\r\nLANMAN1.0\r\nWindows for Workgroups 3.1a\r\nLM1.2X002\r\nLANMAN2.1\r\nNT LM 0.12\r\nSMBs\r\nWindows 2000 2195\r\nWindows 2000 5.0\r\nSMBu\r\n__USERID__PLACEHOLDER__@\r\n\\\\172.16.99.5\\IPC$\r\n__TREEID__PLACEHOLDER__\r\n__USERID__PLACEHOLDER__@\r\nSMB3\r\n__TREEID__PLACEHOLDER__\r\n__USERID__PLACEHOLDER__@\r\n\\t\r\nh6agLCqPqVyXi2VSQ8O6Yb9ijBX54jY6KM+sz33NmS6TK8XlOk920s0E0aajOV++wrR92ds1FOLBO+evLPj4sIvAjLvaLdgk8+BlNZs8PMa9b\r\nh5DH0RqsyNfEbXNTxRzla1zNfWz0bB4fqzrdNNfNXvtTv9FWqyXCEHLhOz9p7JXzJBBUd0OR9rg8DFXIyNXMHCfeX5v/YjDkYmaBrFWuO\r\nSMB3\r\n__TREEID__PLACEHOLDER__\r\n__USERID__PLACEHOLDER__@\r\nuserid\r\ntreeid\r\n__TREEPATH_REPLACE__\r\n\\\\%s\\IPC$\r\nMicrosoft Base Cryptographic Provider v1.0\r\n%d.%d.%d.%d\r\nmssecsvc2.0\r\nMicrosoft Security Center (2.0) Service\r\n%s -m security\r\nC:\\%s\\qeriuwjhrf\r\nC:\\%s\\%s\r\nWINDOWS\r\ntasksche.exe\r\nCloseHandle\r\nWriteFile\r\nCreateFileA\r\nCreateProcessA\r\n32.dll\r\nhttp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com\r\ntasksche.exe\r\n(MD5: 84c82835a5d21bbcf75a61706d8ab549)\r\n.der .pfx .key .crt .csr .p12 .pem .odt .ott .sxw .stw .uot .3ds .max .3dm .ods .ots .sxc .stc .dif .slk .wb2 .odp .otp .sxd\r\n.std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .sql .accdb .mdb .db .dbf .odb .frm .myd .myi .ibd .mdf\r\n.ldf .sln .suo .cs .c .cpp .pas .h .asm .js .cmd .bat .ps1 .vbs .vb .pl .dip .dch .sch .brd .jsp .php .asp .rb .java .jar .class\r\n.sh .mp3 .wav .swf .fla .wmv .mpg .vob .mpeg .asf .avi .mov .mp4 .3gp .mkv .3g2 .flv .wma .mid .m3u .m4u .djvu\r\n.svg .ai .psd .nef .tiff .tif .cgm .raw .gif .png .bmp .jpg .jpeg .vcd .iso .backup .zip .rar .7z .gz .tgz .tar .bak .tbk .bz2\r\n.PAQ .ARC .aes .gpg .vmx .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .snt .onetoc2 .dwg .pdf .wk1 .wks .123 .rtf .csv\r\n.txt .vsdx .vsd .edb .eml .msg .ost .pst .potm .potx .ppam .ppsx .ppsm .pps .pot .pptm .pptx .ppt .xltm .xltx .xlc .xlm\r\n.xlt .xlw .xlsb .xlsm .xlsx .xls .dotx .dotm .dot .docm .docb .docx .doc\r\nWANACRY!\r\n%s\\\\%s\r\n%s\\\\Intel\r\n%s\\\\ProgramData\r\ncmd.exe /c \\\"%s\\\"\r\nXIA\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 16 of 22\n\n115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn\r\n12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw\r\n13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94\r\n%s%d\r\nGlobal\\\\MsWinZonesCacheCounterMutexA\r\ntasksche.exe\r\nTaskStart\r\nt.wnry\r\nicacls . /grant Everyone:F /T /C /Q\r\nattrib +h .\r\nWNcry@2ol7\r\nEncryptor\r\n(MD5: f351e1fcca0c4ea05fc44d15a17f8b36)\r\nkgptbeilcq\r\nTaskStart\r\nc.wnry\r\n%s\r\ndel /a %%0\r\n%d%d.bat\r\nConvertSidToStringSidW\r\nadvapi32.dll\r\nSYSTEM\r\nS-1-5-18\r\nEVERYONE\r\n%s\\%d%s\r\n.WNCRYT\r\nWANACRY!\r\n.WNCRY\r\n.WNCYR\r\n\\\\\r\n@WanaDecryptor@.bmp\r\n@WanaDecryptor@.exe.lnk\r\n@Please_Read_Me@.txt\r\n%s\\%s\r\n..\r\n%s\\*\r\n.dll\r\n.exe\r\n~SD\r\n@WanaDecryptor@.exe\r\nContent.IE5\r\nTemporary Internet Files\r\nThis folder protects against ransomware. Modifying it will reduce protection\r\n\\Local Settings\\Temp\r\n\\AppData\\Local\\Temp\r\n\\Program Files (x86)\r\n\\Program Files\r\n\\WINDOWS\r\n\\ProgramData\r\n\\Intel\r\n$\\\r\nTESTDATA\r\n%08X.dky\r\nGlobal\\MsWinZonesCacheCounterMutexA\r\nGlobal\\MsWinZonesCacheCounterMutexW\r\ncmd.exe /c reg add %s /v \"%s\" /t REG_SZ /d \"\\\"%s\\\"\" /f\r\nHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n%s %s\r\ntaskse.exe\r\n@WanaDecryptor@.exe\r\ntasksche.exe\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 17 of 22\n\n%s\\%s\\%s\r\n%s\\*.*\r\n@WanaDecryptor@.exe.lnk\r\n@echo off\r\necho SET ow = WScript.CreateObject(\"WScript.Shell\")\u003e m.vbs\r\necho SET om = ow.CreateShortcut(\"%s%s\")\u003e\u003e m.vbs\r\necho om.TargetPath = \"%s%s\"\u003e\u003e m.vbs\r\necho om.Save\u003e\u003e m.vbs\r\ncscript.exe //nologo m.vbs\r\ndel m.vbs\r\nu.wnry\r\n%.1f BTC\r\n$%d worth of bitcoin\r\nwb\r\nr.wnry\r\nb.wnry\r\nattrib +h +s %C:\\%s\r\n$RECYCLE\r\n%C:\\%s\r\n$RECYCLE\r\n%s\\hibsys%s\r\ntaskdl.exe\r\nf.wnry\r\ncmd.exe /c start /b %s vs\r\n%s co\r\ntaskkill.exe /f /im mysqld.exe\r\ntaskkill.exe /f /im sqlwriter.exe\r\ntaskkill.exe /f /im sqlserver.exe\r\ntaskkill.exe /f /im MSExchange*\r\ntaskkill.exe /f /im Microsoft.Exchange.*\r\n%s fi\r\n%08X.eky\r\n%08X.pky\r\n%08X.res\r\nDecryptor\r\n(MD5: 7bf2b57f2a205768755c07f238fb32cc)\r\nConnecting to server...\r\ns.wnry\r\n%08X.eky\r\n%08X.res\r\n00000000.res\r\n%08X.dky\r\n%08X.pky\r\nConnected\r\nSent request\r\nSucceed\r\nReceived response\r\nCongratulations! Your payment has been checked!\r\nStart decrypting now!\r\nFailed to check your payment!\r\nPlease make sure that your computer is connected to the Internet and\r\nyour Internet Service Provider (ISP) does not block connections to the TOR Network!\r\nYou did not pay or we did not confirmed your payment!\r\nPay now if you didn't and check again after 2 hours.\r\nBest time to check: 9:00am - 11:00am GMT from Monday to Friday.\r\nYou have a new message:\r\nc.wnry\r\nrunas\r\nWanaCrypt0r\r\nSoftware\\\r\n%04d-%02d-%02d %02d:%02d:%02d\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 18 of 22\n\nWANACRY!\r\n.org\r\n.WNCYR\r\n.WNCRY\r\n@WanaDecryptor@.bmp\r\n@WanaDecryptor@.exe.lnk\r\n@Please_Read_Me@.txt\r\n%s\\%s\r\n..\r\n%s\\*\r\nContent.IE5\r\nTemporary Internet Files\r\nThis folder protects against ransomware. Modifying it will reduce protection\r\n\\Local Settings\\Temp\r\nppData\\Local\\Temp\r\n\\Program Files (x86)\r\n\\Program Files\r\n\\WINDOWS\r\n\\ProgramData\r\n\\Intel\r\nPlease select a host to decrypt.\r\nAll your files have been decrypted!\r\nPay now, if you want to decrypt ALL your files!\r\nf.wnry\r\nMy Computer\r\n*.res\r\nopen\r\nmailto:\r\nWana Decrypt0r 2.0\r\n%s %s\r\ncmd.exe\r\n/c vssadmin delete shadows /all /quiet \u0026 wmic shadowcopy delete \u0026 bcdedit /set {default} bootstatuspolicy\r\nignoreallfailures \u0026 bcdedit /set {default} recoveryenabled no \u0026 wbadmin delete catalog -quiet\r\n13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94\r\nEnglish\r\nm_%s.wnry\r\nmsg\\\r\n\u003chttps://\r\n\u003chttp://\r\n%d/%d/%d %02d:%02d:%02d\r\n00;00;00;00\r\nhttp://www.btcfrog.com/qr/bitcoinPNG.php?address=%s\r\nmailto:%s\r\nhttps://www.google.com/search?q=how+to+buy+bitcoin\r\nhttps://en.wikipedia.org/wiki/Bitcoin\r\nSend %.1f BTC to this address:\r\n%.1f BTC\r\nSend $%d worth of bitcoin to this address:\r\n%02d;%02d;%02d;%02d\r\nb.wnry\r\n---    %s    %s    %d    %I64d    %d\r\nFailed to send your message!\r\nPlease make sure that your computer is connected to the Internet and\r\nyour Internet Service Provider (ISP) does not block connections to the TOR Network!\r\nYour message has been sent successfully!\r\nYou are sending too many mails! Please try again %d minutes later.\r\nToo short message!\r\n%d%%\r\n%s\\%s\r\ntor.exe\r\n%s\\%s\\%s\r\nTaskData\r\ntaskhsvc.exe\r\n127.0.0.1 \r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 19 of 22\n\nAppendix A\r\nObserved Killswitch Domains\r\nThe following table contains observed killswitch domains and their associated sample hash.\r\nDomain Associated Sample MD5 Hash\r\niuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com c2559b51cfd37bdbd5fdb978061c6c16\r\nayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com (This domain matches the\r\nformat of WannaCry-associated domains, but has not yet been clearly linked\r\nto a specific sample. Organizations wish to maintain awareness of this domain\r\nin the event that it is associated with WannaCry activity.)\r\na44964a7be94072cdfe085bc43e7dc95\r\nifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com 80ce983d22c6213f35867053bec1c293\r\niuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com db349b97c37d22f5ea1d1841e3c89eb4\r\niuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.test 96dff36b5275c67e35097d77a120d0d4\r\nAppendix B\r\nYara Rules\r\nFireEye has developed the following Yara rules for WannaCry detection:\r\nrule FE_RANSOMWARE_WANNACRY {\r\n meta:version=\".4\"\r\n filetype=\"PE\"\r\n author=\"Ian.Ahl@fireeye.com @TekDefense\"\r\n date=\"2017-05-12\"\r\n description=\"Generic detection for most WannaCry variants\"\r\nstrings:\r\n // Bitcoin URLs\r\n $bcURL1 = \"http://www.btcfrog.com/qr/bitcoinPNG.php?address=%\" ascii wide nocase\r\n $bcURL2 = \"https://www.google.com/search?q=how+to+buy+bitcoin\" ascii wide nocase\r\n // Ransom Message\r\n $msg1 = \"Congratulations! Succeed to check your payment!\" ascii wide\r\n $msg2 = \"Start decrypting now!\" ascii wide\r\n $msg3 = \"All your files have been decrypted!\" ascii wide\r\n $msg4 = \"Pay now, if you want to decrypt ALL your files!\" ascii wide\r\n $msg5 = \"Send $%d worth of bitcoin to this address:\" ascii wide\r\n $msg6 = \"Ooops, your files have been encrypted!\" ascii wide\r\n // WANNA Strings\r\n $wanna1 = \"Wanna Decryptor 1.0\" ascii wide\r\n $wanna2 = \"Wana Decrypt0r\" ascii wide\r\n $wanna3 = \"Wana Decryptor\" ascii wide\r\n $wanna4 = \"WANNACRY\" ascii wide nocase\r\n $wanna5 = \"WanaCrypt0r\" ascii wide nocase\r\n $wanna6 = \"WANACRY!\" ascii wide\r\n $wanna7 = \"WNcry@2ol7\" ascii wide\r\n $wanna8 = \"wcry@123\"\r\n $wanna9 = \"wcry@2016\"\r\n // File references\r\n $fileA1 = \"!WannaCryptor!.bmp\" ascii wide\r\n $fileA2 = \"!WannaDecryptor!.exe.lnk\" ascii wide\r\n $fileA3 = \"!Please Read Me!.txt\" ascii wide\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 20 of 22\n\n$fileB1 = \"@WanaDecryptor@.bmp\" ascii wide\r\n $fileB2 = \"@WanaDecryptor@.exe.lnk\" ascii wide\r\n $fileB3 = \"@Please_Read_Me@.txt\" ascii wide\r\n // CMDS\r\n $cmd1 = \"cmd.exe /c start /b vssadmin.exe Delete Shadows /All /Quiet\" ascii wide nocase\r\n $cmd2 = \"wmic shadowcopy delete\" ascii wide\r\n $cmd3 = \"bcdedit /set {default} bootstatuspolicy ignoreallfailures\" ascii wide\r\n $cmd4 = \"bcdedit /set {default} recoveryenabled no\" ascii wide\r\n $cmd5 = \"wbadmin delete catalog -quiet\" ascii wide\r\n $cmd6 = \"icacls . /grant Everyone:F /T /C /Q\" ascii wide\r\n // MISC\r\n $misc1 = \"StartTask\" wide ascii\r\n $misc2 = \"b.wry\" wide ascii\r\n $misc3 = \"c.wry\" wide ascii\r\n $misc4 = \"m.wry\" wide ascii\r\n $misc5 = \"inflate 1.1.3 Copyright 1995-1998 Mark Adler\" wide ascii\r\n $misc6 = \"?AVtype_info@@\" wide ascii\r\ncondition:\r\n (\r\n (\r\n (uint16(0) == 0x5A4D)\r\n )\r\n and\r\n (\r\n all of ($fileA*)\r\n or\r\n all of ($fileB*)\r\n or\r\n (4 of ($msg*) and 2 of ($bcURL*))\r\n or\r\n 2 of ($wanna*)\r\n or\r\n (2 of ($msg*) and 1 of ($cmd*))\r\n or\r\n 4 of ($cmd*)\r\n or\r\n (1 of ($wanna*) and 1 of ($cmd*))\r\n or\r\n (1 of ($wanna*) and 3 of ($misc*))\r\n )\r\n )\r\n}\r\nrule FE_RANSOMWARE_WANNACRY_EB {\r\n meta:version=\".1\"\r\n filetype=\"PE\"\r\n author=\"Ian.Ahl@fireeye.com @TekDefense\"\r\n date=\"2017-05-12\"\r\n description=\"Focusing on the WannaCry variants with worm capabilities\"\r\nstrings:\r\n // EB related strings in WANNACRY\r\n $eb1 = \"__USERID__PLACEHOLDER__@\" ascii wide\r\n $eb2 = \"__TREEID__PLACEHOLDER__\" ascii wide\r\n $eb3 = \"LANMAN1.0\" ascii wide\r\n $eb4 = \"LANMAN2.1\" ascii wide\r\n $eb5 = \"\\\\PIPE\\\\\" ascii wide\r\n $eb6 = \"\\\\\\\\%s\\\\IPC$\" ascii wide\r\n $eb7 = \"__TREEPATH_REPLACE__\" ascii wide\r\n $eb8 = \"/K__USERID__PLACEHOLDER__\" ascii wide\r\ncondition:\r\n (\r\n (\r\n (uint16(0) == 0x5A4D)\r\n )\r\n and\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 21 of 22\n\n(\r\n all of ($eb*)\r\n )\r\n )\r\n}\r\nPosted in\r\nThreat Intelligence\r\nSource: https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html"
	],
	"report_names": [
		"wannacry-malware-profile.html"
	],
	"threat_actors": [
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434278,
	"ts_updated_at": 1775791613,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9c005f694e8038d2a71a373bb23be0fa85cb8410.pdf",
		"text": "https://archive.orkl.eu/9c005f694e8038d2a71a373bb23be0fa85cb8410.txt",
		"img": "https://archive.orkl.eu/9c005f694e8038d2a71a373bb23be0fa85cb8410.jpg"
	}
}