Wannacry Killswitch Domain

 1title: Wannacry Killswitch Domain
 2id: 3eaf6218-3bed-4d8a-8707-274096f12a18
 3status: test
 4description: Detects wannacry killswitch domain dns queries
 5references:
 6    - https://www.mandiant.com/resources/blog/wannacry-ransomware-campaign
 7author: Mike Wade
 8date: 2020/09/16
 9modified: 2022/03/24
10tags:
11    - attack.command_and_control
12    - attack.t1071.001
13logsource:
14    category: dns
15detection:
16    selection:
17        query:
18            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.testing'
19            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.test'
20            - 'ifferfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
21            - 'ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com'
22            - 'iuqssfsodp9ifjaposdfjhgosurijfaewrwergwea.com'
23    condition: selection
24falsepositives:
25    - Analyst testing
26level: high

References

• WannaCry Ransomware Campaign: Threat Details and Risk Management | Mandiant

  

  UPDATE 3 (May 17 – 7:00 p.m. ET) We observed the emergence of a new WannaCry variant with the internet-check URL www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]testing. A bug in the code logic cau...

  
  Read More

Related rules

• Telegram API Access
• Crypto Miner User Agent
• Exploit Framework User Agent
• PwnDrp Access
• Greenbug Espionage Group Indicators