WANACRY – The Saga Continues…

Only a few days into this thing and of course we’re already seeing spin-off variants of the original binary making their way into the wild.

family tree

 

Over the weekend we’ve had a few ups and downs; we’ve identified 2 kill-switch domains that were hard coded into the binaries which were subsequently discovered and sink holed. Heading into Monday however we’re starting to see the natural processes run their course as new variants enter the wild.

Variant 3 (MD5: d724d8cc6420f06e8a48752f0da11c66) is already starting to display some new behavior. The above variant does not have a hard coded kill-switch within the code, but hasty changes appear to have broken this variant’s ransomware capability.

ida12.PNG

The spreader capability made possible by ETERNALBLUE and DOUBLEPULSAR still works as advertised. However, the actual ransomware functionality appears to be broken, most likely due to a corrupted archive. The domain check code still appears in is variant’s code, however it’s jmp’d and zeroed out.

Keeping this one short but I wanted to throw a little something out there with some recent updates.

-DarkHorseSec

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s