"WannaCry Is North Korea!" or "Rich Headers Win Again!"

http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/

https://twitter.com/neelmehta/status/864164081116225536

Samples from Unit42:
a4b3404fffc581ab06d50f3f2243cb56
cab10f19ae0a6deeb7be7bd0b46a0f5f
d511fa33bb3c9a238e4b4eae7bae6e84

WannaCry sample from Neel Mehta:
9c7c7149387a1c79679a87dd1ba755bc

All 4 samples share significant overlap in their Rich Headers. In fact, the set of IDs and Value pairs in the Rich Headers from the 3 samples I listed above are fully contained within the set of ID and Value pairs in the Rich Headers of the WannaCry sample from Neel Mehta's Twitter post. The WannaCry sample contains several header pairs that are not present within the other samples - I do not know what tools they represent so I am unable to determine the significance of this particular data point.

I don't know how significant this overlap is, but in my own repository that particular set of ID and Value pairs was unique to WannaCry and malware attributed to Lazarus Group. If you have yara 3.5 (earlier versions don't have the toolid method in pe.rich_signature) and want to test further:

```
import "pe"

rule a9_bd_wcrylazarus {
    condition:
        pe.rich_signature.toolid(1,0) and
        pe.rich_signature.toolid(4,8047) and
        pe.rich_signature.toolid(10,8047) and
        pe.rich_signature.toolid(11,9782) and
        pe.rich_signature.toolid(12,7291) and
        pe.rich_signature.toolid(14,7299) and
        pe.rich_signature.toolid(93,4035)
}
```


UPDATE: Well, the net is cast WAAAAAY too wide, but a lot of what I was picking up is still Korean. Definitely worth investigating further...

Comments

Popular posts from this blog

Yara and Rich Headers are full of win

APT Rosetta Stone or A Plea To The Industry For Shared Names