CRITICAL — WannaCry Compact Variant | Kill Switch + WNcry@2ol7 | Lazarus/APT38
b3cbe2897f850313c9051016f1ef6bcc37a61c9cf86ef9a3f1ba61581ad38014
MD5 2c1947ccf319ca0137282c5c87c61fc2 |
大小 726 KB |
来源 apt_iocs_20260704_0100.zip |
分析日期 2026-07-04 08:38 UTC
WannaCry
Lazarus
Compact
KillSwitch
WNcry
98%
置信度评分
WannaCry / WanaCrypt0r
§1 📋 样本概要信息
SHA256
b3cbe2897f850313c9051016f1ef6bcc37a61c9cf86ef9a3f1ba61581ad38014
MD5
2c1947ccf319ca0137282c5c87c61fc2
文件类型
PE32+ executable (DLL) (console) x86-64
编译器
MSVC 2010 SP1 (Linker 10.00.40219)
编译时间戳
2026-07-02 (MalwareBazaar)
📌 概要
Compact WannaCry variant (726KB). Both kill switch domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com) and WNcry@2ol7 ransomware payload confirmed. Lazarus/APT38 attribution. Smaller than the 5.1MB standard variant.
§2 🏷️ 分类标签与威胁情报
分类标签
| 分类 | 标签 | 置信度 |
| Type | Ransomware | VERIFIED |
| Family | WannaCry | VERIFIED |
| Size | 726KB (compact) | NOTABLE |
📌 证据→推理→结论
1. Kill switch string → 2. WNcry@2ol7 resource → 3. MSVC 2010 → WannaCry compact variant
威胁情报
| 字段 | 值 |
| 关联组织 | Lazarus (APT38) |
| 别名 | WannaCry |
| 动机 | Financial |
| 目标行业 | Global |
| 活动名称 | May 2017 outbreak |
| C2协议 | Bitcoin |
| C2基础设施 | iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com |
🎯 威胁组织判定
Lazarus Group (APT38) — DPRK.
★ §3b 🌐 C2 架构分析
通联关系图
graph TD
A["b3cbe289"] --> B["Kill Switch DNS"]
B -->|NXDOMAIN| C["Extract WNcry@2ol7"]
C --> D["AES-128 Encrypt"]
D --> E[".WNCRY files"]
📋 ASCII 文本视图 (点击展开)
🌐 C2 通信深度分析
| 1 | Kill Switch | DNS iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | DNS | 53 | Resolved=Exit, NXDOMAIN=Encrypt |
| 2 | Ransomware GUI | WNcry@2ol7 resource extraction | N/A | N/A | Display ransom note |
🔬 C2 地址分析技术细节:
BOTH markers present: kill switch domain + WNcry@2ol7 resource. Compact size (726KB vs typical 5.1MB) suggests this is a trimmed variant or tool component rather than the full dropper.
通道 1: Kill Switch
| 协议 | DNS |
| 端口 | 53 |
| 地址/Domain | iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com |
| IP | Sinkholed |
| 加密 | None |
| 用途 | Self-destruct guard |
| API引用 | DnsQuery_W, InternetOpenUrlW |
| 证书 | N/A |
C2 通信时序
📌 ATT&CK 映射:
§4 🏗️ 结构分析
段/节区布局
s1-s14
MSVC PE sections, .rsrc contains WNcry@2ol7
熵值分析
📊 熵值解读
Normal MSVC PE entropy.
MSVC 2010 SP1 (Linker 10.00.40219).
§6 🔬 家族溯源
编译元数据
家族特征比对
| 维度 | 本样本 | WannaCry | b15fabb4 | b3cbe289 | NotPetya | F5 | F6 | F7 | F8 | 匹配 |
| Kill Switch | PRESENT | WannaCry | b15fabb4 | b3cbe289 | 0/8 |
| WNcry@2ol7 | PRESENT | WannaCry | b3cbe289 | 0/8 |
| Size | 726KB | b3cbe289 | 0/8 |
| Compiler | MSVC 2010 | WannaCry | b15fabb4 | b3cbe289 | 0/8 |
📌 家族归因结论
WannaCry compact variant — both markers, smaller than standard 5.1MB.
已知变种
| 变种 | 架构 | 大小 | 编译器 | 特征 | 状态 |
| b3cbe289 | x86-64 | 726KB | MSVC 2010 | ? | Compact |
| b15fabb4 | x86-64 | 5.1MB | MSVC 2010 | ? | Standard |
§7 🔬 深度行为分析
行为阶段拆解
协议/行为状态机
§8 🔬 恶意性综合判定
多维度证据评估
| 维度 | 证据 | 权重 | 恶意指数 |
| Kill Switch | iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | 30 | 30/10 |
| Ransomware Payload | WNcry@2ol7 resource | 30 | 30/10 |
| APT Attribution | Lazarus (APT38) | 20 | 18/10 |
| Compact Variant | 726KB vs 5.1MB standard | 20 | 15/10 |
⚠ 判定结论
CRITICAL — WannaCry
§9 🎯 ATT&CK 映射
Impact
T1486
Data Encrypted
WNcry@2ol7 ransomware payload
§10 🛡️ 反分析技术评估
反调试
反虚拟机
| 检测方法 | VMware | VirtualBox | QEMU/KVM |
| 无 |
综合评估
Kill switch present. Compact size variant.
§11 🔧 逆向分析
Ghidra 反编译
| 反编译函数数 | N/A |
| 反编译输出 | N/A |
| 分析时长 | N/A |
调用链分析 (GitNexus)
📂 调用链拓扑 (点击展开)
★ §12 🔬 QEMU 动态分析
| QEMU 模式 | Win11 Sandbox (VGA 1024x768, NAT) — NOT executed (see b15fabb4 for dynamic analysis) |
| 网络隔离 | N/A |
| 执行结果 | Static analysis only. Kill switch domain and ransomware payload both confirmed. Refer to b15fabb4 report for dynamic execution evidence (same family, confirmed GUI + encryption). |
| C2 数据 | Kill switch: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com |
Dynamic execution deferred — refer to sibling sample b15fabb4 for Win11 sandbox execution evidence (ransomware GUI confirmed at t=15-60s with file encryption).
# Static analysis only — see b15fabb4 for dynamic execution log
§13 📦 IOC 汇总
IOC 字符串
| 偏移 | 字符串 | 类型 | 用途/含义 | 威胁等级 |
| 0x100+ | iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | Kill Switch | Self-destruct guard | CRITICAL |
| 0x200+ | WNcry@2ol7 | Resource | Ransomware GUI payload | CRITICAL |
📌 关键 IOC 解读
Both kill switch and ransomware payload present. This compact variant may be a specific toolkit component.
⚠ 高威胁 IOC 汇总
Domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com — Kill switch
网络 IOC
- DNSiuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
YARA 检测规则
rule WannaCry_Compact { strings: $k="iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com" $w="WNcry@2ol7" $p="PE" at 0 condition: $p and $k and $w }
alert dns any any -> any 53 (msg:"WannaCry Kill Switch"; dns_query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com"; sid:200003;)
§14 📋 最终判定
| 判定结果 | CRITICAL — WannaCry (compact) |
| 恶意类型 | Ransomware |
| 恶意家族 | WannaCry / WanaCrypt0r |
| 威胁级别 | CRITICAL |
| 置信度 | 98% — Confirmed WannaCry. Kill switch + WNcry@2ol7 resource both present. Compact size (726KB) suggests optimized/trimmed variant or specific component of the WannaCry toolkit. |
| 关联组织 | Lazarus Group (APT38) |
| 目标平台 | Windows x86-64 |
| 感染链位置 | 待确定 |
⚡ 综合判定
Compact WannaCry variant (726KB vs 5.1MB standard). BOTH kill switch domain AND WNcry@2ol7 ransomware payload present — the most feature-complete variant in this batch. MSVC 2010 SP1. Lazarus/APT38 attribution.