The main launcher has a curious feature, where, before it does anything else, it checks connectivity to a certain domain. Ifthat domain resolves, the binary exits and does nothing further. This has been dubbed the killswitch. The killswitch domains below that have been found so far have been registered by Security Researchers, seehereandhere. This has had the effect of hampering the spread of the malware. Hint: don’t block these domains.
Extracting the Ransomware
If there is no reply from the killswitch domain, it then checks for command line argument, if it is less than two, create a new servicewith Display name: “Microsoft Security Center (2.0) Service” and service name: “mssecsvc2.0”
Next, the WannaCry ransomware is extracted from resource section,then dropped to C:\Windows and anew process is spawned C:\WINDOWS\tasksche.exe.
If command line argument is two or more then it proceeds to open malware service named”mssecsvc2.0″, change the service configuration to “SERVICE_CONFIG_FAILURE_ACTIONS”, then start the service running the propagation function using the SMB exploit.
Scan the networks
Next, one thread is run for scanning local IPs, and 128 threads for scanning public IPs:
For scanning local IPs, It gathers IP addresses using GetAdaptersInfo() API, and then scans the target IP for MS17-010 and transfers the payload if the IP is vulnerable:
For scanning public IP addresses, the malware generates target IP addresses using the CryptGenRandom() API by default, otherwise it uses the rand() function. The randomly generated first octet of the IP address cannotbe equal 127 or >= 224. The second, third and fourth octets arealso randomly generated. It then checks if port 445 of the target IP is open.
If it deemed that port 445 is open, it starts to scan the entire /24 IP range, and then creates a thread for each target IP and attempts to exploit it.