![]() |
@msuiche | |||||
A patched (non recompiled) variant with *NO* kill-switch is out there too. Patched jump and zeroed the URL. See screenshots below. #WannaCry pic.twitter.com/RliIRigXwH
|
||||||
|
![]() |
Matt Suiche
@msuiche
|
May 14 |
Thanks to @craiu for sharing the 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd hash.
|
||
![]() ![]() ![]() |
![]() |
Mitja Kolsek
@mkolsek
|
May 14 |
Puzzled as to why was "jnz $+2" in the original code. Looks like a placeholder for patching out the kill switch.
|
||
![]() ![]() ![]() |
![]() |
Costin Raiu
@craiu
|
May 14 |
that is the patched code, not the original one. The original was 75 15 hex.
|
||
![]() ![]() ![]() |
![]() |
R0bert R0senb0rg
@drProct0r
|
May 14 |
isn't this some testing version that a researcher patched to use after sinkholing killswitch?
|
||
![]() ![]() ![]() |
![]() |
Mitja Kolsek
@mkolsek
|
May 14 |
Oh, that makes sense.
|
||
![]() ![]() ![]() |
![]() |
Mark Steward
@marksteward
|
May 14 |
Ugh. And given the number of historic builds out there, the person who did this is unlikely very to be the malware author.
|
||
![]() ![]() ![]() |
![]() |
# malware mapper #
@Thoughtskiller1
|
May 14 |
Is it spreading wild or just for testing purpose ?
|
||
![]() ![]() ![]() |
![]() |
Aaron Shelmire
@AShelmire
|
May 14 |
![]() ![]() ![]() |
![]() |
Mark Steward
@marksteward
|
May 14 |
Is that version viable? The payload looks different and doesn't have a zip directory.
|
||
![]() ![]() ![]() |
![]() |
Aaron Shelmire
@AShelmire
|
May 14 |
while it may be a testing version, think of how many sandboxes pull files from virustotal and run them in the wild, leading to spread
|
||
![]() ![]() ![]() |
![]() |
Thanh Bình
@binhcms
|
May 14 |
How you can do that ? I would like to help
|
||
![]() ![]() ![]() |
![]() |
R0bert R0senb0rg
@drProct0r
|
May 14 |
I know,that's why researchers should be careful and use patched versions only in a way it can't spread,definitely not upload to VT or SBox
|
||
![]() ![]() ![]() |
![]() |
Adam
@_xpn_
|
May 14 |
Are the bitcoin addresses the same, or have they been changed?
|
||
![]() ![]() ![]() |
![]() |
GalBit
@Gal_B1t
|
May 14 |
Legit malware development process :D
|
||
![]() ![]() ![]() |
![]() |
R0bert R0senb0rg
@drProct0r
|
May 14 |
this thead sums it up: twitter.com/hacks4pancakes…
|
||
![]() ![]() ![]() |
![]() |
Aaron Shelmire
@AShelmire
|
May 14 |
agree, but it's on vt since 90 minutes ago: virustotal.com/en/file/07c447…
|
||
![]() ![]() ![]() |
![]() |
mndg
@m_ndingo
|
May 14 |
What is now in the #worm resources? The same #ransomware?
|
||
![]() ![]() ![]() |
![]() |
Mark Steward
@marksteward
|
May 14 |
That payload has two parents virustotal.com/en/file/2584e1… and this is the difference between them pastebin.com/JhiJGiGU
|
||
![]() ![]() ![]() |