WannaCry or WannCrypt or WannaCrypt.RSM (high risk alert)

Ransom: Of course it means (in the dictionary of cambridge) — a large amount of money that is demanded in exchange for someone who has been taken prisoner, or sometimes for an animal: plus, nowadays, Yes! for an important data. When it comes for a vital data/information and it was modified to be known as ransomware.



This time we wanna discuss a high risk alert ransomware called WannaCry! According to SonicWall Security Center’s research in mid-April they have noticed the ransomware and published protections and now the ransomware was updated to WannaCrypt version 2 and the UI looks like as the image we’ve featured to this post and they public some symptoms that you will face when you have got the attack on your system. Then we’d like to share these with you to make you aware of the ransomware.

A ransomware will be causing denial of access your vital information. Be aware of this.


SonicWall Security Center Alert the followings

WannaCrypt.RSM is a Trojan. A Trojan is a program that pretends to have a valid use, but in fact modifies the user’s computer in malicious ways. Trojans do not replicate or spread to other computers.

File Related Changes:
It drops the following file(s) on the system:

  • “C:\Documents and Settings\Default User\Start Menu\Programs\Startup\SDEF.tmp”
  • “C:\WINDOWS\Temp\!WannaDecryptor!.exe”
  • “C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SDCE.tmp”
  • “C:\WINDOWS\Temp\112881393834640_.bat”
  • “C:\Documents and Settings\Admin\Start Menu\Programs\Startup\SD8D.tmp”

It modifies the following additional file(s) on the system:

  • “C:\WINDOWS\system32\wbem\Logs\WMIC.LOG”

Process Related Changes:
It creates the following mutex(es):

  • ZonesCacheCounterMutex”
  • ZonesLockedCacheCounterMutex”
  • c:!documents and settings!admin!local settings!history!history.ie5!”
  • CTF.TMD.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • CTF.TimListCache.FMPDefaultS-1-5-21-1078081533-842925246-854245398-1003MUTEX.DefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • CTF.Compart.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • c:!documents and settings!admin!local settings!temporary internet files!content.ie5!”
  • ZoneAttributeCacheCounterMutex”
  • WininetConnectionMutex”
  • CTF.Layouts.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • CTF.Asm.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • ZonesCounterMutex”
  • CTF.LBES.MutexDefaultS-1-5-21-1078081533-842925246-854245398-1003″
  • c:!documents and settings!admin!cookies!”

It creates the following process(es):

  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im Microsoft.Exchange. ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe ]
  • C:\WINDOWS\Temp\b9b3965d1b218c63cd317ac33edcb942.exe [ \c:\windows\temp\b9b3965d1b218c63cd317ac33edcb942.exe ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im MSExchange ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe v ]
  • C:\WINDOWS\system32\cmd.exe [ cmd.exe /c start /b !WannaDecryptor!.exe v ]
  • C:\WINDOWS\system32\cmd.exe [ cmd.exe /c vssadmin delete shadows /all /quiet wmic shadowcopy delete bcdedit /set {default} bootstatuspolicy ignoreallfailures bcdedit /set {default} recoveryenabled no wbadmin delete catalog -quiet ]
  • C:\WINDOWS\system32\wbem\wmic.exe [ wmic shadowcopy delete ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe c ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im sqlserver.exe ]
  • C:\WINDOWS\system32\cmd.exe [ cmd /c 112881393834640.bat ]
  • C:\WINDOWS\system32\taskkill.exe [ taskkill /f /im sqlwriter.exe ]
  • C:\WINDOWS\Temp\!WannaDecryptor!.exe [ !WannaDecryptor!.exe f ]

Network Activity:
We observed the following DNS query/queries:

  • dist.torproject.org
  • www.dropbox.com
  • www.download.windowsupdate.com

It attempts to connect to the following remote servers:

  • 127.xxxxxx:1031
  • 127.xxxxxx:1037


As of May 12th 2017 we have observed a new variant of the WannaCrypt Ransomware. It has been reported that version 2 of this ransomware has been deployed by its operators on a large international scale. It has wreaked havoc among UK’s National Health Service by hitting at least 15 hospitals across the nation causing denial of access to vital patient information. Other attacks include Spanish telecommunications companies such as Vodafone and Telefonica.


School For Hackers


For You!