Showing posts from May, 2017

"WannaCry Is North Korea!" or "Rich Headers Win Again!"

Samples from Unit42:

WannaCry sample from Neel Mehta:

All 4 samples share significant overlap in their Rich Headers. In fact, the set of IDs and Value pairs in the Rich Headers from the 3 samples I listed above are fully contained within the set of ID and Value pairs in the Rich Headers of the WannaCry sample from Neel Mehta's Twitter post. The WannaCry sample contains several header pairs that are not present within the other samples - I do not know what tools they represent so I am unable to determine the significance of this particular data point.

I don't know how significant this overlap is, but in my own repository that particular set of ID and Value pairs was unique to WannaCry and malware attributed to Laz…