Twitter

Matt Suiche

Verified Account

A patched (non recompiled) variant with *NO* kill-switch is out there too. Patched jump and zeroed the URL. See screenshots below. #WannaCry pic.twitter.com/RliIRigXwH

7:19 AM - 14 May 2017

by: Matt Suiche @msuiche

	Matt Suiche @msuiche	14 May 17
	Replying to @craiu Thanks to @craiu for sharing the 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd hash.
	View conversation ·

	Mitja Kolsek @mkolsek	14 May 17
	Replying to @msuiche @craiu Puzzled as to why was "jnz $+2" in the original code. Looks like a placeholder for patching out the kill switch.
	View conversation ·

	Costin Raiu @craiu	14 May 17
	Replying to @mkolsek @msuiche that is the patched code, not the original one. The original was 75 15 hex.
	View conversation ·

	R0bert R0senb0rg @drProct0r	14 May 17
	Replying to @msuiche @craiu isn't this some testing version that a researcher patched to use after sinkholing killswitch?
	View conversation ·

	Mitja Kolsek @mkolsek	14 May 17
	Replying to @craiu @msuiche Oh, that makes sense.
	View conversation ·

	Mark Steward @marksteward	14 May 17
	Replying to @msuiche @craiu Ugh. And given the number of historic builds out there, the person who did this is unlikely very to be the malware author.
	View conversation ·

	# malware mapper # @Thoughtskiller1	14 May 17
	Replying to @msuiche Is it spreading wild or just for testing purpose ?
	View conversation ·

	Aaron Shelmire @AShelmire	14 May 17
	Replying to @msuiche @craiu virustotal.com/en/file/07c447…
	View conversation ·

	Mark Steward @marksteward	14 May 17
	Replying to @msuiche @craiu Is that version viable? The payload looks different and doesn't have a zip directory.
	View conversation ·

	Aaron Shelmire @AShelmire	14 May 17
	Replying to @drProct0r @msuiche @craiu while it may be a testing version, think of how many sandboxes pull files from virustotal and run them in the wild, leading to spread
	View conversation ·

	Thanh Bình @binhcms	14 May 17
	Replying to @msuiche How you can do that ? I would like to help
	View conversation ·

	R0bert R0senb0rg @drProct0r	14 May 17
	Replying to @AShelmire @msuiche @craiu I know,that's why researchers should be careful and use patched versions only in a way it can't spread,definitely not upload to VT or SBox
	View conversation ·

	Adam Chester @_xpn_	14 May 17
	Replying to @msuiche Are the bitcoin addresses the same, or have they been changed?
	View conversation ·

	GalBit @Gal_B1t	14 May 17
	Replying to @msuiche Legit malware development process :D
	View conversation ·

	R0bert R0senb0rg @drProct0r	14 May 17
	Replying to @AShelmire @msuiche @craiu this thead sums it up: twitter.com/hacks4pancakes…
	View conversation ·

	Aaron Shelmire @AShelmire	14 May 17
	Replying to @drProct0r @msuiche @craiu agree, but it's on vt since 90 minutes ago: virustotal.com/en/file/07c447…
	View conversation ·

	mndg @m_ndingo	14 May 17
	Replying to @msuiche What is now in the #worm resources? The same #ransomware?
	View conversation ·

	Mark Steward @marksteward	14 May 17
	Replying to @msuiche @craiu That payload has two parents virustotal.com/en/file/2584e1… and this is the difference between them pastebin.com/JhiJGiGU
	View conversation ·