Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Training 2 - Identify Wannacry spreading using Eternalblue
- From: http://malware-traffic-analysis.net/2017/05/18/index2.html
- 2017-05-18 - GUEST BLOG BY DAVID SZILI - PCAP OF WANNACRY SPREADING USING ETERNALBLUE
- EDITOR'S NOTE:
- This blog post was submitted by David Szili, an independent IT security consultant based in Luxembourg.
- David had emailed a pcap from his test environment with traffic showing WannaCry ransomware spreading using the EnternalBlue exploit.
- I thought this would make a good guest blog, so enjoy!
- ASSOCIATED FILE:
- ZIP archive of the WannaCry ransomware sample: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe.zip 3.6 MB (3,591,870 bytes)
- ZIP archive of the pcap: 2017-05-18-WannaCry-ransomware-using-EnternalBlue-exploit.pcap.zip * 23.9 MB (23,857,652 bytes)
- * Remark: The uncompressed pcap filesize is too large to be anaylsis online vis NetworkTotal. Luckily, i found a smaller WannaCry.pcap on VirusTotal
- TEST ENVIRONMENT
- The following Windows servers and workstations were established in a LAN environment:
- (Read: IPv4 address - MAC address - Host descritpion - Host name)
- 192.168.116.143 - a4:1f:72:20:54:01 - Windows 2012 R2 domain controller - TestDC1
- 192.168.116.150 - a4:1f:72:49:11:6d - Windows 2012 R2 server with a file share - WIN-2012-R2-1
- 192.168.116.138 - 00:19:bb:4f:4c:d8 - Windows 7 x64 - domain-joined workstation - DFIR_Win7_x64
- 192.168.116.149 - 00:25:b3:f5:fa:74 - Windows 7 x86 - domain-joined workstation - DFIR_Win7_x86
- 192.168.116.172 - 00:1c:c4:33:c6:dd - Windows 7 x86 - clone of DFIR_Win7_x86 - C-DFIR_Win7_x86
- MALWARE
- The following information covers the WannaCry ransomware sample used to generate this traffic:
- SHA256 hash: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
- SHA1 hash: e889544aff85ffaf8b0d0da705105dee7c97fe26
- MD5 hash: db349b97c37d22f5ea1d1841e3c89eb4
- File size: 3.6 MB (3,723,264 bytes)
- File type: Win32 EXE
- References for the above sample:
- https://securingtomorrow.mcafee.com/mcafee-labs/analysis-wannacry-ransomware/
- https://www.hybrid-analysis.com/sample/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c?environmentId=100
- https://www.virustotal.com/en/file/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c/analysis/
- The WannaCry ransomware sample was lanched on 192.168.116.149 (DFIR_Win7_x86), and it propagated to the other Windows hosts (see images section below).
- More please visit URL http://malware-traffic-analysis.net/2017/05/18/index2.html
- =====================================================================================
- *WannaCry.pcap on VirusTotal
- https://virustotal.com/en/file/884a837145bd098edcd04ec700068501a6643c3b71e0c2cd3bf5cde9a0a9395b/analysis/
- * Remark: Noted one can actually uploads Pcap file to VirusTotal for analysis.
- File name: Wannacry.pcap
- SHA256: 884a837145bd098edcd04ec700068501a6643c3b71e0c2cd3bf5cde9a0a9395b
- ZIP archive of the Wannacry.pcap: http://www.mediafire.com/file/k310vod9snc7qvq/wannacry_pcap_on_virustotal.zip
- End time 2017-05-15 22:18:32
- Capture duration 919.832395 seconds
- HTTP requests
- GET http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com/
- Request datetime 2017-05-15 22:18:32.684335
- Contacted host 144.217.254.3:80
- Server response code 200
- Response content sha256 4be9b4e7327041a75853cbe8abedf15ab049ceb16fa98f63b03a3b9aaa9b5075
- Response content file type exported SGML document, ASCII text
- DNS requests
- www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com 144.217.254.3
- Snort alerts Sourcefire VRT ruleset
- Consecutive TCP small segments exceeding threshold (Potentially Bad Traffic) [12]
- MALWARE-OTHER dns request with long host name segment - possible data exfiltration attempt (Attempted Information Leak) [30881]
- OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt (Attempted Information Leak) [42340]
- SERVER-IIS encoding access (access to a potentially vulnerable web application) [1010]
- INDICATOR-SHELLCODE ssh CRC32 overflow filler (Executable code was detected) [1325]
- OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt (Generic Protocol Command Decode) [5730]
- MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response (A Network Trojan was detected) [42329]
- MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command (A Network Trojan was detected) [42331]
- MALWARE-CNC Win.Trojan.Doublepulsar variant successful injection response (A Network Trojan was detected) [42330]
- Suricata alerts Emerging Threats ETPro ruleset
- ET EXPLOIT Possible DOUBLEPULSAR Beacon Response (A Network Trojan was Detected) [2024216]
- GPL NETBIOS SMB-DS IPC$ share access (Generic Protocol Command Decode) [2102465]
- ET POLICY Reserved Internal IP Traffic (Potentially Bad Traffic) [2002752]
- GPL NETBIOS SMB-DS IPC$ unicode share access (Generic Protocol Command Decode) [2102466]
- ET TROJAN Possible WannaCry DNS Lookup (A Network Trojan was Detected) [2024291]
- ET INFO Potentially unsafe SMBv1 protocol in use (Not Suspicious Traffic) [2023997]
- Uploaded this Wannacry.pcap to NetworkTotal, result below:
- https://www.networktotal.com/search.php?q=ef9f9f28f51e1f12ff339844c7051728&pmd5=5bdf91f28d80dfe69116ddb32e05b693
- Suricata 2.0.11 alerts Emerging Threats ETPro ruleset
- Events:
- Date MD5 sid msg
- Mon, 15 May 2017 22:03:47 +0000 ef9f9f28f51e1f12ff339844c7051728 [VT] [1:2024216:1] ET EXPLOIT Possible DOUBLEPULSAR Beacon Response
- Mon, 15 May 2017 22:03:47 +0000 ef9f9f28f51e1f12ff339844c7051728 [VT] [1:2023997:3] ET INFO Potentially unsafe SMBv1 protocol in use
- Mon, 15 May 2017 22:12:38 +0000 ef9f9f28f51e1f12ff339844c7051728 [VT] [1:2102465:9] GPL NETBIOS SMB-DS IPC$ share access
- Mon, 15 May 2017 22:03:47 +0000 ef9f9f28f51e1f12ff339844c7051728 [VT] [1:2102466:9] GPL NETBIOS SMB-DS IPC$ unicode share access
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement