2017-05-18 - GUEST BLOG BY DAVID SZILI - PCAP OF WANNACRY SPREADING USING ETERNALBLUE
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
EDITOR'S NOTE:
- This blog post was submitted by David Szili, an independent IT security consultant based in Luxembourg.
- David had emailed a pcap from his test environment with traffic showing WannaCry ransomware spreading using the EnternalBlue exploit.
- I thought this would make a good guest blog, so enjoy!
ASSOCIATED FILE:
- Zip archive of the pcap: 2017-05-18-WannaCry-ransomware-using-EnternalBlue-exploit.pcap.zip 23.9 MB (23,857,652 bytes)
- Zip archive of the WannaCry ransomware sample: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe.zip 3.6 MB (3,591,870 bytes)
TEST ENVIRONMENT
The following Windows servers and workstations were established in a LAN environment:
(Read: IPv4 address - MAC address - Host descritpion - Host name)
- 192.168.116.143 - a4:1f:72:20:54:01 - Windows 2012 R2 domain controller - TestDC1
- 192.168.116.150 - a4:1f:72:49:11:6d - Windows 2012 R2 server with a file share - WIN-2012-R2-1
- 192.168.116.138 - 00:19:bb:4f:4c:d8 - Windows 7 x64 - domain-joined workstation - DFIR_Win7_x64
- 192.168.116.149 - 00:25:b3:f5:fa:74 - Windows 7 x86 - domain-joined workstation - DFIR_Win7_x86
- 192.168.116.172 - 00:1c:c4:33:c6:dd - Windows 7 x86 - clone of DFIR_Win7_x86 - C-DFIR_Win7_x86
MALWARE
The following information covers the WannaCry ransomware sample used to generate this traffic:
- SHA256 hash: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
SHA1 hash: e889544aff85ffaf8b0d0da705105dee7c97fe26
MD5 hash: db349b97c37d22f5ea1d1841e3c89eb4
File size: 3.6 MB (3,723,264 bytes)
File type: Win32 EXE
References for the above sample:
- https://www.hybrid-analysis.com/sample/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c?environmentId=100
- https://www.virustotal.com/en/file/24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c/analysis/
The WannaCry ransomware sample was lanched on 192.168.116.149 (DFIR_Win7_x86), and it propagated to the other Windows hosts (see images section below).
ALERTS
Below is a screenshot taken from a Security Onion server monitoring traffic for hosts in the test environment. It's using the EmergingThreats Open ruleset.
SCREENSHOTS OF DESKTOPS
Shown above: Desktop of infected Windows 7 host, hostmame: DFIR_Win7_x86.
Shown above: Desktop of infected Windows 7 host, hostmame: C-DFIR_Win7_x86.
Shown above: Desktop of infected Windows 7 host, hostmame: DFIR_Win7_x64.
Click here to return to the main page.