RANSOM_WCRY.SM2

This Ransomware does not have any backdoor routine.

It executes the dropped file(s). As a result, malicious routines of the dropped files are exhibited on the affected system.

Arrival Details

This malware arrives via the following means:

• Microsoft Windows SMB Server (MS17-010) Vulnerability

Autostart Technique

This Ransomware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mssecsvc2.0
Type = "16"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mssecsvc2.0
Start = "2"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mssecsvc2.0
ErrorControl = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mssecsvc2.0
ImagePath = "{initial malware file path} -m security"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mssecsvc2.0
DisplayName = "Microsoft Security Center (2.0) Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mssecsvc2.0
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mssecsvc2.0\security
Security = {hex values}

It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mssecsvc2.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\mssecsvc2.0\security

It starts the following services:

• Service Name: mssecsvc2.0
  Display Name: Microsoft Security Center (2.0) Service
  Path to Executable: "{initial malware file path} -m security"

Backdoor Routine

This Ransomware does not have any backdoor routine.

Dropping Routine

This Ransomware drops the following files:

• %Windows%\tasksche.exe ← detected as RANSOM_WCRY.DAM

It executes the dropped file. As a result, malicious routines of the dropped file are exhibited on the affected system.

Other Details

This Ransomware does the following:

• It connects to http://www.{BLOCKED}sodp9ifjaposdfjhgosurijfaewrwergwea.com. It is initially used as a kill switch for infection, however on this variant, it will still continue with its routine regardless of the connection.
• It scans the following to check for open port 445:
  • Randomly-generated IP addresses over the Internet
• If it finds a host on the Internet with open port 445, it will attempt to exploit MS17-010 vulnerability to drop and execute a copy of itself to the remote host.
• It uses the following file path for its dropped copies on the remote hosts.
  %Windows%\mssecsvc.exe
• It checks for the presence of the file %Windows%\tasksche.exe. If the file exists, it will rename the file using the following name %Windows%\qeriuwjhrf.
• It executes %Windows%\tasksche.exe with /i parameter.