2017-05-18 - GUEST BLOG BY DAVID SZILI - PCAP OF WANNACRY SPREADING USING ETERNALBLUE

EDITOR'S NOTE:

ASSOCIATED FILE:

 

TEST ENVIRONMENT

The following Windows servers and workstations were established in a LAN environment:

(Read: IPv4 address - MAC address - Host descritpion - Host name)

 

MALWARE

The following information covers the WannaCry ransomware sample used to generate this traffic:

References for the above sample:

The WannaCry ransomware sample was lanched on 192.168.116.149 (DFIR_Win7_x86), and it propagated to the other Windows hosts (see images section below).

 

ALERTS

Below is a screenshot taken from a Security Onion server monitoring traffic for hosts in the test environment.  It's using the EmergingThreats Open ruleset.

 

SCREENSHOTS OF DESKTOPS


Shown above:  Desktop of infected Windows 7 host, hostmame: DFIR_Win7_x86.

 


Shown above:  Desktop of infected Windows 7 host, hostmame: C-DFIR_Win7_x86.

 


Shown above:  Desktop of infected Windows 7 host, hostmame: DFIR_Win7_x64.

 

FINAL NOTES

Once again, here is the associated file:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.