参考:
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
WannaCry/WCry Execution Flow
在Windows 10之前的没有打MS-17-010
补丁的所有Windows均受影响。使用了EternalBlue MS17-010
来传播。
被感染的条件是SMB端口(445)打开,或者这台机器已经被种下了DOUBLEPULSAR
后门。MS17-010
补丁解决了受影响的这些设备。
- Windows XP: 感染后不会传播。如果手动执行,会加密文件。
- Windows 7,8,2008: 若未打补丁,会传播,并且可以加密文件
- Windows 10: 不会传播。但是即便是Windows 10 也有错误的SMB驱动。最好打补丁。
- Linux: 不会传播,但是如果用wine运行的话还是会加密文件。
Malware samples
- hxxps://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100
- hxxps://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE
- hxxps://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE (main dll)
Binary blob in PE crypted with pass ‘WNcry@2ol7’, credits to ens!
- parents https://pastebin.com/quvVH5hS (all known variants of the Wcry launcher containing eternalblue)
- children https://pastebin.com/A2pxw49F (all variants of Wcry, the actual ransomware, being currently observed in the wild)
essentially the full known catalogue of samples. credit to errantbot and @codexgigassys