API tools faq
paste
nu11secur1ty

WannaCry

nu11secur1ty
May 21st, 2017
260
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Clone C 2.41 KB | None | 0 0
raw download clone embed print report diff
  1. There are a number of files and folders wannacrypt will avoid.
  2. Some because it's entirely pointless and others because it might destabilize the system.
  3. During scans, it will search the path for the following strings and skip over if present.
  4.  
  5.     "Content.IE5"
  6.     "Temporary Internet Files"
  7.     " This folder protects against ransomware. Modifying it will reduce protection"
  8.     "\Local Settings\Temp"
  9.     "\AppData\Local\Temp"
  10.     "\Program Files (x86)"
  11.     "\Program Files"
  12.     "\WINDOWS"
  13.     "\ProgramData"
  14.     "\Intel"
  15.     "$\"
  16.  
  17. The strange looking folder name referring to ransomware was probably used during tests
  18. or perhaps the authors left it behind by accident.
  19.  
  20. Naturally, it will avoid encrypting itself and skips the following.
  21.  
  22.     @[email protected]
  23.     @[email protected]
  24.     @[email protected]
  25.  
  26. It will also skip files that have extensions: .DLL, .EXE, .WNCRY and .WNCRYT
  27.  
  28. For everything else, there are 2 tables with file extensions it checks,
  29. the first and default list consists of
  30.  
  31.   .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg,
  32.   .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf,
  33.   .dwg, .onetoc2, .snt, .jpeg, .jpg
  34.  
  35. The other is a much more extensive list, but is not used by the sample
  36. I have.
  37.  
  38. It's not clear what the purpose of multiple file extensions are, but perhaps
  39. the ransomeware uses a library or framework that can be tweaked for specific targets.
  40.  
  41.   .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc,
  42.   .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb,
  43.   .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes,
  44.   .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup,
  45.   .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai,
  46.   .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov,
  47.   .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class,
  48.   .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs,
  49.   .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf,
  50.   .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb,
  51.   .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd,
  52.   .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds,
  53.   .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!