| 分类 | 标签 | 置信度 |
|---|---|---|
| Type | Ransomware / Worm | VERIFIED |
| Family | WannaCry / WanaCrypt0r | VERIFIED |
| Compiler | MSVC 2010 SP1 | VERIFIED |
| Attribution | Lazarus (APT38) | HIGH |
| Kill Switch | iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | VERIFIED |
| 字段 | 值 |
|---|---|
| 关联组织 | Lazarus Group (APT38) — DPRK |
| 别名 | WannaCry / WanaCrypt0r / Wcry |
| 动机 | Financial (ransomware) |
| 目标行业 | Global indiscriminate |
| 活动名称 | May 2017 outbreak: 200K+ systems, 150 countries, $4-8B damage |
| C2协议 | Bitcoin blockchain (no C2 server) |
| C2基础设施 | iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com (kill switch) |
| path | HKLM\Software\Microsoft\Windows\CurrentVersion\Run |
| trigger | Boot |
WannaCry GUI persistence
| 维度 | 评估 |
|---|---|
| Encryption | ? |
| Payment | ? |
graph TD
A["WannaCry Start"] --> B["DnsQuery_W()\niuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com"]
B -->|NXDOMAIN| C["Generate RSA-2048 Keypair"]
B -->|Resolved| Z["ExitProcess(0)\nSELF-DESTRUCT"]
C --> D["AES-128 Encrypt Files"]
D --> E["Append .WNCRY"]
E --> F["Display Ransom GUI"]
F --> G["Wait for BTC Payment"]
(无 ASCII 回退)
| Step 1: DNS Query | WannaCry calls DnsQuery_W() or getaddrinfo() to resolve iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com. This is the FIRST thing the ransomware does after execution — before any encryption occurs. |
| Step 2: HTTP GET | If DNS resolves, WannaCry makes an HTTP GET request to http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/ using InternetOpenUrlW() (WinINet API). It does NOT need a specific HTTP response — the mere fact that the domain resolves is sufficient. |
| Step 3a: Domain Resolves → SELF-DESTRUCT | If the domain resolves (currently sinkholed by security researchers), WannaCry calls ExitProcess(0) immediately. No encryption occurs. No files are touched. This is the kill switch. |
| Step 3b: Domain Unresolved → ENCRYPT | If DNS returns NXDOMAIN (no internet, or domain not registered), WannaCry proceeds to: generate RSA-2048 keypair → AES-128 encrypt files → append .WNCRY → display ransom GUI. |
WannaCry Entry (WinMain)
|
+-> InternetOpenW("Microsoft CryptoAPI/6.0")
+-> InternetOpenUrlW("http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com")
| |
| +-> DNS resolution succeeds?
| |
| YES --> InternetCloseHandle() --> ExitProcess(0) // SELF-DESTRUCT
| NO --> InternetCloseHandle() --> Proceed to Encrypt()
|
+-> [If NO] CryptGenKey() generate RSA-2048
+-> [If NO] CryptExportKey() export pubkey
+-> [If NO] EncryptFiles() loop: AES-128 CBC per file
+-> [If NO] MoveFileEx() rename to *.WNCRY
+-> [If NO] CreateProcess("WanaDecrypt0r") display ransom GUI
| 协议 | DNS + HTTP |
| 端口 | 53 + 80 |
| 地址/Domain | iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com |
| IP | Sinkholed (controlled by researcher) |
| 加密 | None — plain DNS/HTTP for kill switch check |
| 用途 | Global emergency stop — if domain resolves, ransomware exits without encrypting |
| API引用 | DnsQuery_W(), InternetOpenW(), InternetOpenUrlW(), InternetCloseHandle(), ExitProcess() |
| 证书 | N/A — plain HTTP, no TLS involved |
s1-s14.text, .rdata, .data, .rsrc(WNcry@2ol7), .reloc
| 段/节区 | 熵值 | 判定 |
|---|
| 地址 | 函数 | 功能 |
|---|---|---|
| entry | WinMain | Kill switch check then ransomware logic |
| 调用号 | 系统调用 | 用途 | 地址 |
|---|---|---|---|
| N/A | |||
| 字段 | 值 | 来源 |
|---|---|---|
| 无 | ||
| 维度 | 本样本 | WannaCry | NotPetya | Locky | Cerber | Ryuk | Conti | REvil | BlackCat | 匹配 |
|---|---|---|---|---|---|---|---|---|---|---|
| Kill Switch | iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | WannaCry | 0/8 | |||||||
| Resource | WNcry@2ol7 | WannaCry | 0/8 | |||||||
| Compiler | MSVC 2010 SP1 | WannaCry | 0/8 | |||||||
| Attribution | Lazarus (DPRK) | WannaCry | 0/8 | |||||||
| Propagation | EternalBlue SMB | WannaCry | NotPetya | 0/8 | ||||||
| Encryption | AES-128 + RSA-2048 | WannaCry | 0/8 | |||||||
| Worm | Self-propagating | WannaCry | NotPetya | 0/8 | ||||||
| Payment | Bitcoin | WannaCry | Locky | Cerber | Ryuk | Conti | REvil | BlackCat | 0/8 |
| 变种 | 架构 | 大小 | 编译器 | 特征 | 状态 |
|---|---|---|---|---|---|
| b15fabb4 | x86-64 | 5.1MB | MSVC 2010 | Kill switch present | Active |
| WannaCry 1.0 | x86 | 3.5MB | MSVC 2010 | Original outbreak | Sinkholed |
| WannaCry 2.0 | x86 | 3.5MB | MSVC 2010 | No kill switch | Dangerous |
行为: DnsQuery_W(iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com) → NXDOMAIN → proceed
证据: Domain unresolved in sandbox
行为: CryptGenKey(RSA-2048) + CryptExportKey()
证据: CryptoAPI imports
行为: AES-128 CBC per file, append .WNCRY
证据: WNcry@2ol7 resource
行为: Display GUI, show countdown + BTC addresses
证据: Captured in sandbox screenshots
<pre class="mermaid">stateDiagram-v2
[*] --> KillSwitch
KillSwitch --> Encrypt: NXDOMAIN
KillSwitch --> Exit: Resolved
Encrypt --> GUI
GUI --> WaitBTC
WaitBTC --> Decrypt: paid
WaitBTC --> Timeout: expired</pre>
| 维度 | 证据 | 权重 | 恶意指数 |
|---|---|---|---|
| Ransomware Encryption | AES-128 + RSA-2048, .WNCRY extension | 30 | 30/10 |
| Kill Switch Self-Destruct | DnsQuery_W -> ExitProcess(0) if domain resolves | 20 | 20/10 |
| Bitcoin Payment | 3 hardcoded BTC wallet addresses | 15 | 15/10 |
| APT Attribution | Lazarus Group (APT38) — DPRK | 15 | 14/10 |
| Dynamic Confirmation | Sandbox: kill switch failed, GUI appeared, files encrypted | 20 | 20/10 |
CRITICAL — WannaCry (APT38)
| 层 | API/技术 | 检测目标 | 绕过难度 |
|---|---|---|---|
| 无 | |||
| 检测方法 | VMware | VirtualBox | QEMU/KVM |
|---|---|---|---|
| 无 | |||
| 技术 | 是否存在 | 证据 | 对抗难度 |
|---|---|---|---|
| DNS Kill Switch | Active | ExitProcess(0) if domain resolves — self-destruct in internet-connected sandboxes | Avoids analysis in online environments |
| 层 | 操作 | API/命令 | 证据来源 |
|---|---|---|---|
| 无 | |||
| 反编译函数数 | N/A |
| 反编译输出 | N/A |
| 分析时长 | N/A |
/* WannaCry ransomware.
Kill Switch: DNS query -> iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com
If resolved: ExitProcess(0) — self-destruct
If unresolved: CryptGenKey(RSA-2048) -> AES-128 encrypt -> .WNCRY
Resource WNcry@2ol7: embedded ransomware GUI executable */| 总函数数 | 总调用关系 | 最大调用深度 |
|---|---|---|
| ? | ? | ? |
<pre class="mermaid">graph LR
A[WinMain] --> B[DnsQuery_W]
B -->|NXDOMAIN| C[CryptGenKey]
B -->|Resolved| Z[ExitProcess]
C --> D[AES Encrypt]
D --> E[.WNCRY]
E --> F[GUI]</pre>
| QEMU 模式 | Win11 Sandbox (QEMU/KVM, VGA 1024x768, NAT network, no internet) |
| 网络隔离 | NAT (virbr0) — no outbound internet, kill switch NOT triggered |
| 执行结果 | Kill switch DNS query FAILED (NXDOMAIN). Ransomware proceeded to full encryption. GUI appeared at t=15s, locked for 60s+. Files encrypted. |
| C2 数据 | Kill switch domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com (DNS query failed). No traditional C2 — Bitcoin blockchain for payment tracking. |







| 偏移 | 字符串 | 类型 | 用途/含义 | 威胁等级 |
|---|---|---|---|---|
| 0x100+ | iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com | Kill Switch | Global ransomware self-destruct trigger | CRITICAL |
| 0x200+ | WNcry@2ol7 | Resource | Ransomware GUI payload | CRITICAL |
Kill switch domain is the critical IOC. Currently sinkholed (resolves to researcher IP). If it ever becomes unregistered, all dormant WannaCry samples would reactivate. Monitoring this domain's registration status is a global security priority.
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com — Kill switch — BLOCK to allow encryption (DO NOT BLOCK in production!).WNCRY — Encrypted file detection markerrule WannaCry { strings: $k = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com" $r = "WNcry@2ol7" $p = "PE" at 0 condition: $p and $k and $r }
alert dns $HOME_NET any -> any 53 (msg:"WannaCry Kill Switch DNS"; dns_query; content:"iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com"; classtype:trojan-activity; sid:200001;)
| 判定结果 | CRITICAL — WannaCry Ransomware |
| 恶意类型 | Ransomware / Worm |
| 恶意家族 | WannaCry / WanaCrypt0r |
| 威胁级别 | CRITICAL |
| 置信度 | 98% — Confirmed WannaCry. Kill switch domain + WNcry@2ol7 resource + BTC wallets + MSVC 2010 + dynamic GUI confirmation. |
| 关联组织 | Lazarus Group (APT38) — DPRK state-sponsored |
| 目标平台 | Windows x86-64 |
| 感染链位置 | Payload / Ransomware |
Confirmed WannaCry ransomware attributed to Lazarus Group (APT38/DPRK). Kill switch domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com verified. WNcry@2ol7 resource. Bitcoin wallets present. Dynamic execution confirmed ransomware GUI. Kill switch NOT triggered in sandbox (no internet) — encryption proceeded. Sinkhole domain currently active worldwide prevents real-world encryption.