Can North Korea be Linked to WannaCry? A Timestamp Analysis
Category : Uncategorized
Published by Nick Griffin (May 19, 2017)
Performanta have analysed three earlier variants of the WannaCry ransomware from April and May 2017 which attempt to guess and brute-force passwords used for SMB in order to copy themselves to network shares. These samples are evidence that the WannaCry malware author(s) have long intended to launch a widespread ransomware epidemic. We also analysed embedded timestamps found within the samples which indicate a possible link to East Asia.
After reviewing WannaCry samples on VirusTotal (VT) we noticed what appeared to be earlier versions of the malware containing SMB propagation code. Many of them appear to be corrupted in very similar ways to WannaCry 2.0 samples, once again indicating that there may be a bug in how the malware propagates over SMB.
There appear to be three distinct variants containing this code which were uploaded to VT between April and May. The earliest intact and fully-functional sample dates back to April 28 according to its Portable Executable (PE) compilation timestamp. Based on comments posted with the uploaded samples it appears as though they were found in somebody’s SMB honeypot, indicating that these samples were propagating in the wild at the time.
Each variant contains a hard-coded list of usernames and passwords which it attempts to use when connecting to remote machines over SMB. A comparison table of the three variants can be found below.
|Variant SHA256||Compilation Timestamp||Entry Point||Number of Passwords for SMB Brute-forcing|
Based on these findings, and cross-referencing our research with other analyses, we have now separated WannaCry into three distinct versions. We refer to the three variants in this blog as version 1.0.
SMB Brute-forcing Attack
The three WannaCry 1.0 variants identified all possess the ability to copy themselves to network shares over SMB. They do this by attempting to login to the target machine using a hard-coded list of usernames and passwords. All three variants use the same list of usernames:
administrator admin administrador
These samples also show a clear sign of active development. The two earliest compiled versions (12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b and 80161d8b4eede382ac7463cc69a9de73a6edec4ec4a82a5b107047061cd653ec) attempt password variations using the years 2009 to 2020. For example, one of the passwords attempted is “p@ssw0rd”, which means the following passwords are also attempted:
p@ssw0rd09 p@ssw0rd2009 p@ssw0rd09! p@ssw0rd2009! p@ssw0rd@2009 p@ssw0rd10 p@ssw0rd2010 p@ssw0rd10! p@ssw0rd2010! p@ssw0rd@2010 ...and so forth... p@ssw0rd20 p@ssw0rd2020 p@ssw0rd20! p@ssw0rd2020! p@ssw0rd@2020
Other variations are also attempted such as “p@ssw0rd1!” and in total there are 74 different variations used for a small subset of the passwords.
In the latest compiled variant (7edc4f216f4002a76e6c20616fea74c649b31da01fd65a73fd52bdcd929b3f48), however, the malware author has instead opted to get the current year from the infected machine’s system time and use variations for that year to ten years previous (i.e. 2017 to 2007). The year-based variations used are the same as the two previous WannaCry variants, although in this third variant there are only 69 total possible variations.
Previous attribution attempts have linked WannaCry with North Korea through the use of shared code. We decided to check how widespread this code may be by searching through tens of terabytes of data on VT, but could only confirm its existence in WannaCry and Contopee samples. This does not necessarily mean that the same malware author(s) wrote both malware families but the rarity of the code in other software gives the theory more weight.
Alternative attribution theories point to either a travel agent working in Thailand, Iran, or a hacking group known as “KDMS”. These three theories are all based on strings found within WannaCry configuration files, though the inconsistencies point more towards a likelihood of them being purposely planted false flags.
Another curious indicator as to who is behind WannaCry may lie in the compilation timestamps of the malware. With the exception of a few, every WannaCry sample’s compilation timestamp falls between the hours of 01:00am and 10:00am (UTC). This lines up with typical office hours for timezones in East Asia, highlighted on the map below.
The highlighted region includes North Korea which has a timezone of UTC+8:30. Interestingly we noticed that a malware family associated with Operation Lazarus (a suspected North Korean group), referred to as “Escad” by Microsoft, has very similar compilation timestamps. After reviewing several Escad samples on VirusTotal (VT), ruling out the samples which are disguised as Microsoft executables (and which seem to have fake compilation timestamps), we find that the earliest compiled sample occurs at a time of 00:05:02am (UTC) and the latest at 09:22:06 (UTC). These times fit very well with a UTC+8:30 or UTC+9 timezone if we assume that the malware author is working typical office hours.
Compilation timestamps are, however, very easy to fake or offset in order to thwart analysis or plant false flags. It is useful to use them as a possible indicator when combined with other evidence, but they are not reliable evidence by themselves.
It is clear that the author behind WannaCry has been actively developing the malware since at least February 2017, iterating through several versions of the malware. Before the recent attacks leveraging ETERNALBLUE the author(s) were already attempting to spread their malware over SMB using credential brute-forcing. This shows a clear intent to do a lot of damage, and the author(s) presumably saw their chance at doing exactly this with the ETERNALBLUE exploit they incorporated into version 2.0.
Attribution is still impossible at this time, but as with previous evidence linking WannaCry with North Korean malware, we can also form a tentative link to North Korea through the analysis of timestamps embedded into the malware.