Didier Stevens

Sunday 14 May 2017

Quickpost: WannaCry’s Mutex Is MsWinZonesCacheCounterMutexA0 (Digit Zero At The End)

Filed under: Malware,Quickpost — Didier Stevens @ 11:23

I’ve seen reports that WannaCry uses a mutex with name Global\MsWinZonesCacheCounterMutexA.

The samples I analyzed all use another mutex: Global\MsWinZonesCacheCounterMutexA0. That’s a digit zero at the end.

I have not found a sample that uses mutex Global\MsWinZonesCacheCounterMutexA (e.g. without digit zero at the end).

Update 1: I got confirmation from Costin Raiu from Kaspersky that the mutex is Global\MsWinZonesCacheCounterMutexA0.

Update 2: dynamic analysis with sample 84c82835a5d21bbcf75a61706d8ab549 shows that there are 2 mutexes that can prevent the ransoming of files: MsWinZonesCacheCounterMutexA and Global\MsWinZonesCacheCounterMutexA0. Remark that the Global namespace must be used with mutex MsWinZonesCacheCounterMutexA0, while it may not be used with mutex MsWinZonesCacheCounterMutexA.

 

Remark that the code above contains string “Global\\MsWinZonesCacheCounterMutexA”, but that is not the actual string used for OpenMutexA.

The actual string used for OpenMutexA is created by a sprintf “%s%d” call, and results in “Global\\MsWinZonesCacheCounterMutexA0“, that is “Global\\MsWinZonesCacheCounterMutexA” with a digit 0 (zero) appended.

Mutexes have long been used by malware authors to prevent more than one instance of the malware running on the same machine. An old anti-malware trick consists in the creation of a specific mutex, to prevent the execution of a specific malware.

I’ve seen tools and scripts published to create mutex Global\MsWinZonesCacheCounterMutexA to prevent WannaCry from infecting machines. This will not work for the samples I analyzed.

Samples I disassembled:

7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff (contained as a resource in 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec).

86721e64ffbd69aa6944b9672bcabb6d (contained as a resource in 5bef35496fcbdbe841c82f4d1ab8b7c2).

Samples I searched for containing the mutex and sprintf code:

509c41ec97bb81b0567b059aa2f50fe8
5bef35496fcbdbe841c82f4d1ab8b7c2
638f9235d038a0a001d5ea7f5c5dc4ae
7f7ccaa16fb15eb1c7399d422f8363e8
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
f107a717f76f4f910ae9cb4dc5290594

If you have a sample that actually uses mutex Global\\MsWinZonesCacheCounterMutexA and not mutex Global\\MsWinZonesCacheCounterMutexA0 (e.g. with digit zero appended), please post a comment with the hash of your sample.

 


Quickpost info


5 Comments »

  1. […] malware creates mutex “GlobalMsWinZonesCacheCounterMutexA0” (Update: Thanks Didier Stevens for the correction on the mutex name!) and runs the […]

    Pingback by WannaCry ransomware used in widespread attacks all over the world - Securelist — Sunday 14 May 2017 @ 11:42

  2. I used 84c82835a5d21bbcf75a61706d8ab549. Here’s a screenshot of MsWinZonesCacheCounterMutexA used to prevent the execution of WannaCry – http://i.imgur.com/06EFCdS.gif

    Comment by KyleHanslovan — Sunday 14 May 2017 @ 13:00

  3. […] Didier Stevens – Quickpost: WannaCry’s Mutex Is MsWinZonesCacheCounterMutexA0 (Digit Zero At… […]

    Pingback by Week 20 – 2017 – This Week In 4n6 — Sunday 21 May 2017 @ 10:05

  4. […] “GlobalMsWinZonesCacheCounterMutexA” and “GlobalMsWinZonesCacheCounterMutexA0” (Update: Thanks Didier Stevens for the correction on the extra mutex name!) to determine if a system is already infected. It also runs the […]

    Pingback by WannaCry ransomware used in widespread attacks all over the world | GIXtools project — Monday 5 June 2017 @ 9:58

  5. […] Quickpost: WannaCry’s Mutex Is MsWinZonesCacheCounterMutexA0 (Digit Zero At The End) […]

    Pingback by Overview of Content Published In May | Didier Stevens — Wednesday 7 June 2017 @ 0:15


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: