API tools faq
paste
Advertisement
douglasmun

Wannacry spreads using Eternalblue

douglasmun
Jun 21st, 2017
1,117
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
HTML 5.82 KB | None | 0 0
raw download clone embed print report
  1. Training 2 - Identify Wannacry spreading using Eternalblue
  2.  
  3. From:  http://malware-traffic-analysis.net/2017/05/18/index2.html
  4. 2017-05-18 - GUEST BLOG BY DAVID SZILI - PCAP OF WANNACRY SPREADING USING ETERNALBLUE
  5.  
  6. EDITOR'S NOTE:
  7. This blog post was submitted by David Szili, an independent IT security consultant based in Luxembourg.
  8. David had emailed a pcap from his test environment with traffic showing WannaCry ransomware spreading using the EnternalBlue exploit.
  9. I thought this would make a good guest blog, so enjoy!
  10.  
  11. ASSOCIATED FILE:
  12. ZIP archive of the WannaCry ransomware sample:  24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe.zip   3.6 MB (3,591,870 bytes)
  13. ZIP archive of the pcap:  2017-05-18-WannaCry-ransomware-using-EnternalBlue-exploit.pcap.zip   * 23.9 MB (23,857,652 bytes)
  14. * Remark: The uncompressed pcap filesize is too large to be anaylsis online vis NetworkTotal. Luckily, i found a smaller WannaCry.pcap on VirusTotal
  15.  
  16. TEST ENVIRONMENT
  17. The following Windows servers and workstations were established in a LAN environment:
  18. (Read: IPv4 address - MAC address - Host descritpion - Host name)
  19. 192.168.116.143   -   a4:1f:72:20:54:01   -   Windows 2012 R2 domain controller   -   TestDC1
  20. 192.168.116.150   -   a4:1f:72:49:11:6d   -   Windows 2012 R2 server with a file share   -   WIN-2012-R2-1
  21. 192.168.116.138   -   00:19:bb:4f:4c:d8   -   Windows 7 x64   -   domain-joined workstation   -   DFIR_Win7_x64
  22. 192.168.116.149   -   00:25:b3:f5:fa:74   -   Windows 7 x86   -   domain-joined workstation   -   DFIR_Win7_x86
  23. 192.168.116.172   -   00:1c:c4:33:c6:dd   -   Windows 7 x86   -   clone of DFIR_Win7_x86   -   C-DFIR_Win7_x86
  24.  
  25. MALWARE
  26. The following information covers the WannaCry ransomware sample used to generate this traffic:
  27. SHA256 hash:  24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  28. SHA1 hash:  e889544aff85ffaf8b0d0da705105dee7c97fe26
  29. MD5 hash:  db349b97c37d22f5ea1d1841e3c89eb4
  30. File size:  3.6 MB (3,723,264 bytes)
  31. File type:  Win32 EXE
  32.  
  33. References for the above sample:
  34. https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/
  35. https://www.hybrid-analysis.com/sample/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c?environmentId=100
  36. https://www.virustotal.com/en/file/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c/analysis/
  37. The WannaCry ransomware sample was lanched on 192.168.116.149 (DFIR_Win7_x86), and it propagated to the other Windows hosts (see images section below).
  38.  
  39. More please visit URL  http://malware-traffic-analysis.net/2017/05/18/index2.html
  40.  
  41. =====================================================================================
  42. *WannaCry.pcap on VirusTotal
  43. https://virustotal.com/en/file/884a837145bd098edcd04ec700068501a6643c3b71e0c2cd3bf5cde9a0a9395b/analysis/
  44. * Remark: Noted one can actually uploads Pcap file to VirusTotal for analysis.
  45.  
  46. File name:  Wannacry.pcap
  47. SHA256: 884a837145bd098edcd04ec700068501a6643c3b71e0c2cd3bf5cde9a0a9395b
  48. ZIP archive of the Wannacry.pcap: http://www.mediafire.com/file/k310vod9snc7qvq/wannacry_pcap_on_virustotal.zip
  49. End time 2017-05-15 22:18:32
  50. Capture duration 919.832395 seconds
  51.  
  52. HTTP requests
  53. GET http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
  54. Request datetime 2017-05-15 22:18:32.684335
  55. Contacted host 144.217.254.3:80
  56. Server response code 200
  57. Response content sha256 4be9b4e7327041a75853cbe8abedf15ab049ceb16fa98f63b03a3b9aaa9b5075
  58. Response content file type exported SGML document, ASCII text
  59.  
  60. DNS requests
  61. www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com   144.217.254.3
  62.  
  63. Snort alerts Sourcefire VRT ruleset
  64. Consecutive TCP small segments exceeding threshold (Potentially Bad Traffic) [12]
  65. MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (Attempted Information Leak) [30881]
  66. OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (Attempted Information Leak) [42340]
  67. SERVER-IIS encoding access (access to a potentially vulnerable web application) [1010]
  68. INDICATOR-SHELLCODE ssh CRC32 overflow filler (Executable code was detected) [1325]
  69. OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt (Generic Protocol Command Decode) [5730]
  70. MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response (A Network Trojan was detected) [42329]
  71. MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (A Network Trojan was detected) [42331]
  72. MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response (A Network Trojan was detected) [42330]
  73.  
  74. Suricata alerts Emerging Threats ETPro ruleset
  75. ET EXPLOIT Possible DOUBLEPULSAR Beacon Response (A Network Trojan was Detected) [2024216]
  76. GPL NETBIOS SMB-DS IPC$ share access (Generic Protocol Command Decode) [2102465]
  77. ET POLICY Reserved Internal IP Traffic (Potentially Bad Traffic) [2002752]
  78. GPL NETBIOS SMB-DS IPC$ unicode share access (Generic Protocol Command Decode) [2102466]
  79. ET TROJAN Possible WannaCry DNS Lookup (A Network Trojan was Detected) [2024291]
  80. ET INFO Potentially unsafe SMBv1 protocol in use (Not Suspicious Traffic) [2023997]
  81.  
  82.  
  83. Uploaded this Wannacry.pcap to NetworkTotal, result below:
  84. https://www.networktotal.com/search.php?q=ef9f9f28f51e1f12ff339844c7051728&pmd5=5bdf91f28d80dfe69116ddb32e05b693
  85.  
  86. Suricata 2.0.11 alerts Emerging Threats ETPro ruleset
  87. Events:
  88. Date    MD5 sid msg
  89. Mon, 15 May 2017 22:03:47 +0000 ef9f9f28f51e1f12ff339844c7051728 [VT]   [1:2024216:1]   ET EXPLOIT Possible DOUBLEPULSAR Beacon Response
  90. Mon, 15 May 2017 22:03:47 +0000 ef9f9f28f51e1f12ff339844c7051728 [VT]   [1:2023997:3]   ET INFO Potentially unsafe SMBv1 protocol in use
  91. Mon, 15 May 2017 22:12:38 +0000 ef9f9f28f51e1f12ff339844c7051728 [VT]   [1:2102465:9]   GPL NETBIOS SMB-DS IPC$ share access
  92. Mon, 15 May 2017 22:03:47 +0000 ef9f9f28f51e1f12ff339844c7051728 [VT]   [1:2102466:9]   GPL NETBIOS SMB-DS IPC$ unicode share access
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!