⬇ Download sample (b3cbe289.zip)

CRITICAL — WannaCry Compact Variant | Kill Switch + WNcry@2ol7 | Lazarus/APT38

b3cbe2897f850313c9051016f1ef6bcc37a61c9cf86ef9a3f1ba61581ad38014
MD5 2c1947ccf319ca0137282c5c87c61fc2  |  大小 726 KB  |  来源 apt_iocs_20260704_0100.zip  |  分析日期 2026-07-04 08:38 UTC
WannaCry Lazarus Compact KillSwitch WNcry
98%
置信度评分
WannaCry / WanaCrypt0r

§1 📋 样本概要信息

SHA256
b3cbe2897f850313c9051016f1ef6bcc37a61c9cf86ef9a3f1ba61581ad38014
MD5
2c1947ccf319ca0137282c5c87c61fc2
文件大小
726 KB
文件类型
PE32+ executable (DLL) (console) x86-64
目标架构
x86-64
位宽
64-bit
字节序
Little Endian
编译器
MSVC 2010 SP1 (Linker 10.00.40219)
链接方式
Dynamic
加壳/保护
None
入口点
Standard PE
编译时间戳
2026-07-02 (MalwareBazaar)
子系统
Windows Console
数字签名
None
📌 概要
Compact WannaCry variant (726KB). Both kill switch domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com) and WNcry@2ol7 ransomware payload confirmed. Lazarus/APT38 attribution. Smaller than the 5.1MB standard variant.

§2 🏷️ 分类标签与威胁情报

分类标签

分类标签置信度
TypeRansomwareVERIFIED
FamilyWannaCryVERIFIED
Size726KB (compact)NOTABLE
📌 证据→推理→结论
1. Kill switch string → 2. WNcry@2ol7 resource → 3. MSVC 2010 → WannaCry compact variant

威胁情报

字段
关联组织Lazarus (APT38)
别名WannaCry
动机Financial
目标行业Global
活动名称May 2017 outbreak
C2协议Bitcoin
C2基础设施iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
🎯 威胁组织判定
Lazarus Group (APT38) — DPRK.

★ §3 🔬 持久化机制

未检出持久化行为。

★ §3b 🌐 C2 架构分析

通联关系图

graph TD
    A["b3cbe289"] --> B["Kill Switch DNS"]
    B -->|NXDOMAIN| C["Extract WNcry@2ol7"]
    C --> D["AES-128 Encrypt"]
    D --> E[".WNCRY files"]
📋 ASCII 文本视图 (点击展开)
(无 ASCII 回退)

🌐 C2 通信深度分析

1Kill SwitchDNS iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comDNS53Resolved=Exit, NXDOMAIN=Encrypt
2Ransomware GUIWNcry@2ol7 resource extractionN/AN/ADisplay ransom note
🔬 C2 地址分析技术细节:
BOTH markers present: kill switch domain + WNcry@2ol7 resource. Compact size (726KB vs typical 5.1MB) suggests this is a trimmed variant or tool component rather than the full dropper.

通道 1: Kill Switch

协议DNS
端口53
地址/Domainiuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
IPSinkholed
加密None
用途Self-destruct guard
API引用DnsQuery_W, InternetOpenUrlW
证书N/A

C2 通信时序



  

⚠ C2 基础设施评估

📌 ATT&CK 映射:

§4 🏗️ 结构分析

段/节区布局

s1-s14
MSVC PE sections, .rsrc contains WNcry@2ol7

熵值分析

段/节区熵值判定
📊 熵值解读
Normal MSVC PE entropy.
MSVC 2010 SP1 (Linker 10.00.40219).

§5 ⚙️ 反汇编与行为流程

关键函数映射

地址函数功能
N/A

系统调用分析

调用号系统调用用途地址
N/A

行为执行流

§6 🔬 家族溯源

编译元数据

字段来源

家族特征比对

维度本样本WannaCryb15fabb4b3cbe289NotPetyaF5F6F7F8匹配
Kill SwitchPRESENTWannaCryb15fabb4b3cbe2890/8
WNcry@2ol7PRESENTWannaCryb3cbe2890/8
Size726KBb3cbe2890/8
CompilerMSVC 2010WannaCryb15fabb4b3cbe2890/8
📌 家族归因结论
WannaCry compact variant — both markers, smaller than standard 5.1MB.

已知变种

变种架构大小编译器特征状态
b3cbe289x86-64726KBMSVC 2010?Compact
b15fabb4x86-645.1MBMSVC 2010?Standard

§7 🔬 深度行为分析

行为阶段拆解

协议/行为状态机



  

📌 行为时序总结

§8 🔬 恶意性综合判定

多维度证据评估

维度证据权重恶意指数
Kill Switchiuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com3030/10
Ransomware PayloadWNcry@2ol7 resource3030/10
APT AttributionLazarus (APT38)2018/10
Compact Variant726KB vs 5.1MB standard2015/10
恶意性综合判定

误报排除论证

Zero

⚠ 判定结论

CRITICAL — WannaCry

§9 🎯 ATT&CK 映射

Impact
T1486
Data Encrypted
WNcry@2ol7 ransomware payload

§10 🛡️ 反分析技术评估

反调试

API/技术检测目标绕过难度

反虚拟机

检测方法VMwareVirtualBoxQEMU/KVM

综合评估

技术是否存在证据对抗难度
Kill switch present. Compact size variant.

★ §10b 🧹 痕迹清理

操作API/命令证据来源

§11 🔧 逆向分析

Ghidra 反编译

反编译函数数N/A
反编译输出N/A
分析时长N/A

调用链分析 (GitNexus)

总函数数总调用关系最大调用深度
???
📂 调用链拓扑 (点击展开)

    

★ §12 🔬 QEMU 动态分析

QEMU 模式Win11 Sandbox (VGA 1024x768, NAT) — NOT executed (see b15fabb4 for dynamic analysis)
网络隔离N/A
执行结果Static analysis only. Kill switch domain and ransomware payload both confirmed. Refer to b15fabb4 report for dynamic execution evidence (same family, confirmed GUI + encryption).
C2 数据Kill switch: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
Dynamic execution deferred — refer to sibling sample b15fabb4 for Win11 sandbox execution evidence (ransomware GUI confirmed at t=15-60s with file encryption).
# Static analysis only — see b15fabb4 for dynamic execution log

§13 📦 IOC 汇总

IOC 字符串

偏移字符串类型用途/含义威胁等级
0x100+iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.comKill SwitchSelf-destruct guardCRITICAL
0x200+WNcry@2ol7ResourceRansomware GUI payloadCRITICAL

📌 关键 IOC 解读

Both kill switch and ransomware payload present. This compact variant may be a specific toolkit component.

⚠ 高威胁 IOC 汇总

Domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com — Kill switch

网络 IOC

  • DNSiuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com

主机 IOC

  • File*.WNCRY

YARA 检测规则

rule WannaCry_Compact { strings: $k="iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com" $w="WNcry@2ol7" $p="PE" at 0 condition: $p and $k and $w }
alert dns any any -> any 53 (msg:"WannaCry Kill Switch"; dns_query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com"; sid:200003;)

§14 📋 最终判定

判定结果CRITICAL — WannaCry (compact)
恶意类型Ransomware
恶意家族WannaCry / WanaCrypt0r
威胁级别CRITICAL
置信度98% — Confirmed WannaCry. Kill switch + WNcry@2ol7 resource both present. Compact size (726KB) suggests optimized/trimmed variant or specific component of the WannaCry toolkit.
关联组织Lazarus Group (APT38)
目标平台Windows x86-64
感染链位置待确定

⚡ 综合判定

Compact WannaCry variant (726KB vs 5.1MB standard). BOTH kill switch domain AND WNcry@2ol7 ransomware payload present — the most feature-complete variant in this batch. MSVC 2010 SP1. Lazarus/APT38 attribution.