# WannaCry — New Variants Detected! URL: https://www.msuiche.com/posts/wannacry-new-variants-detected/ Date: 2017-05-14 Author: Matt Suiche --- #### One new wave stopped today but the worse is yet to come **Read More**: [Part 1](https://www.msuiche.com/posts/wannacry-the-largest-ransom-ware-infection-in-history/) — Part 2 — [Part 3](https://www.msuiche.com/posts/wannacry-links-to-lazarus-group/) — [Part 4](https://www.msuiche.com/posts/wannacry-decrypting-files-with-wanakiwi-demos/) [@msuiche](http://twitter.com/msuiche) (Twitter) **UPDATE: _Latest development (15May):_** [Attribution and links to Lazarus Group](https://www.msuiche.com/posts/wannacry-links-to-lazarus-group/) **UPDATE2**: — [Decrypting files](https://www.msuiche.com/posts/wannacry-decrypting-files-with-wanakiwi-demos/) [As a follow-up article on WannaCry](https://www.msuiche.com/posts/wannacry-the-largest-ransom-ware-infection-in-history/), I will give a short brief about the new variants found in the wild, not for experimentation but on infected machines today. _In short, one is a false positive some researchers uploaded to virustotal.com and the other is legit but we_ **_stopped_** _it when I registered the new kill-switch domain name_. ![image](./images/1.jpeg#layoutTextWidth) **Update:** At the time the below twitt was posted, the above stopped ~10K machines from 76 different countries to spread the infection from the new variant. > [](https://twitter.com/msuiche/status/864022459854487552) On **Friday 12 May 2017**, MalwareTechBlog registered the first kill switch (`_iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com_`) that enable to slow down the infection rate of WannaCry ransomware. _This is_ `_24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c_`_._ ![image](./images/2.png#layoutTextWidth) Protecting the Internet one domain at a time — Second killswitch registered on Sunday 14 by myself. **Today (14 May 2017), 2 new** variants appeared**. One working which I blocked by registering the new domain name,** and the second which is only partially working because it only spreads and does ***not*** encrypt files due to a corrupted archive. * **Legit.** A new variant had been [caught](https://boingboing.net/2017/05/15/killswitches-for-everyone.html) by [@benkow_](https://twitter.com/benkow_) in the **wild** and sent to me for analysis. I reversed it and found a new kill-switch (`_ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com_`) which I **immediately** registered to stop the new wave of global attacks. Then, I synchronized with @MalwareTechBlog and @2sec4u to map the new domain to sinkhole name servers to feed the [live interactive infection map](https://intel.malwaretech.com/botnet/wcrypt). _This is_ `_32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf_`_._ * **False positive.** A new variant with no kill-switch recovered by Kaspersky as a virustotal.com upload — **not** detected in the Wild. **Although, this build does only work *partially* as the ransomware archive is corrupted — the spreading still works though.** _This is_ `_07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd_`_._ ### New variants All the variants in the wild are the following: `Name : 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd LastWriteTime : 5/14/2017 5:56:00 PM MD5 : D724D8CC6420F06E8A48752F0DA11C66 SHA2 : 07C44729E2C570B37DB695323249474831F5861D45318BF49CCF5D2F5C8EA1CD Length : 3723264``Name : 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c LastWriteTime : 5/13/2017 7:26:44 AM MD5 : DB349B97C37D22F5EA1D1841E3C89EB4 SHA2 : 24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C Length : 3723264``Name : 32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf LastWriteTime : 5/14/2017 4:11:45 PM MD5 : D5DCD28612F4D6FFCA0CFEAEFD606BCF SHA2 : 32F24601153BE0885F11D62E0A8A2F0280A2034FC981D8184180C5D3B1B9E8CF Length : 3723264` #### New variant with kill switch ![image](./images/3.png#layoutTextWidth) _32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf_ As seen below, this is the new kill switch address (`_ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com_`_)_ found in the `_32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf_ `sample, shared by @benkow_ with me via his honeypot VM. It took me less than a minute once I had the new sample to reverse it and extract the new address to register it. > [](https://twitter.com/msuiche/status/863730377642442752) The variants `_24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c_ `_&_ `_32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf_both `drop the **same** files and archives. Kaspersky told me they also detected the above variant, `MD5:d5dcd28612f4d6ffca0cfeaefd606bcf` was first seen by one of their users in Russia 01:53:26 GMT (2017–05–14 01:53:26.0) `Name : stage2-1-24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c LastWriteTime : 5/12/2017 10:06:10 PM MD5 : 84C82835A5D21BBCF75A61706D8AB549 SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA Length : 3514368``Name : stage2-2-32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf LastWriteTime : 5/14/2017 4:42:09 PM MD5 : 84C82835A5D21BBCF75A61706D8AB549 SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA Length : 3514368` #### New variant with no kill-switch (shared by Kasperky) ![image](./images/4.png#layoutTextWidth) Costin Raiu, _Director of Global Research and Analysis Team at Kaspersky Lab_, shared the `[_07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd_] (https://www.virustotal.com/en/file/07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd/analysis/)`sample with me for a second opinion. As said in the introduction, **Although, this build does only work *partially* as the ransomware archive is corrupted but the spreading part using ETERNALBLUE and DOUBLEPULSAR still works.** Archive only is partially uncompressed. Although the password in the code is the same. > [](https://twitter.com/yomuds/status/863781516899254272) ![image](./images/5.png#layoutTextWidth) The above variant, `MD5:d724d8cc6420f06e8a48752f0da11c66`, has not been seen by any of Kaspersky’s users. (nobody got hit with it yet). It was first scanned on VT at: 2017–05–14 13:05:36. This sample had been discovered after the initial variant I received today. See below my analysis. ![image](./images/6.png#layoutTextWidth) 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd I concluded this sample with no killswitch had been patched and not compiled for two reasons: * The padding space is still exactly `0x48 `bytes between the expected string pointer and the` _RTL_CRITICAL_SECTION CriticalSection` structure. * The basic block flow had been altered as we can see in the above screenshot. It still contains the regular code which was supposed to be executed in case of domain name accessibility. > [](https://twitter.com/msuiche/status/863760653307203584) This variant drops different files. I’m still analyzing what is different between the two versions. `Name : stage2-1-24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c LastWriteTime : 5/12/2017 10:06:10 PM MD5 : 84C82835A5D21BBCF75A61706D8AB549 SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA Length : 3514368``Name : stage2-2-32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf LastWriteTime : 5/14/2017 4:42:09 PM MD5 : 84C82835A5D21BBCF75A61706D8AB549 SHA2 : ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA Length : 3514368``Name : stage2-3-07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd-nokillswitch LastWriteTime : 5/14/2017 7:06:02 PM MD5 : 7F7CCAA16FB15EB1C7399D422F8363E8 SHA2 : 2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD Length : 3514368` ### Conclusion As reported [I reported to the New York Times on Friday](https://www.nytimes.com/2017/05/12/world/europe/international-cyberattack-ransomware.html), new variants were to be expected. The fact the no kill-switch variant is only partially working is most likely a temporary mistake from the attackers. Remember, even though the ransomware decompression is not working — the spreading through ETERNALBLUE & DOUBLEPULSAR is still working. The fact I registered the new kill-switch today to block the new waves of attacks _(sinkhole.tech reported to me they are receiving hits_) is only a temporarily relief which does not resolve the real issue which is that many companies and critical infrastructures are still dependent on legacy and out of support Operating Systems.