WannaCry Analysis

Preet kamal
5 min readDec 5, 2019

--

WannaCry

Wannacry - A ransomware cryptoworm which affected more than 200,000 computers across 150 countries by encrypting data and demanding ransom payments in Bitcoin cryptocurrency. It spreads through network by exploiting a vulnerability in SMB(Server Message Block) protocol, MS17–010.

Before analyzing this malware make sure you do these steps-

  • Use virtual machine for your analysis.
  • Don’t forget to take snapshot of your VM so that if something goes wrong, its state could be retrieved.

File-24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe

MD5-db349b97c37d22f5ea1d1841e3c89eb4

File Info-PE32 executable (GUI) Intel 80386, for MS Windows

ANALYSIS

  • BEACON

Initially, the malware tries to connect to a domain, i.e http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com If the connection is successful, the malware exits, but now this domain has been sinkholed by security researchers to act as a kill switch and to minimize the infection and spreading of it.

  • SERVICE

If the connection is not successful, it creates a service “Microsoft Security Center (2.0) Service” as “mssecsvc2.0

Md5 Hash-db349b97c37d22f5ea1d1841e3c89eb4

Service Creation.
  • RESOURCE SECTION

Analyzing the malware with PeStudio shows the resource section named ‘R’ is executable which means the resource section may contain another file.

  • EXTRACTING files from ‘R’

Usage of FindResourceA, LoadResource, LockResource and SizeofResource implies loading the resource section and accessing the data inside it.

Resource Section-”R”

The malware writes data to tasksche.exe form its resource section named “R” and then copy it to C:\Windows\tasksche.exe and use MoveFileExA to copy it as C:\Windows\qeriuwjhrf.

  • R
Resources Section of Tasksche.e

Its Resource section also looks suspicious as it contains a file “XIA” with PK signature which implies it is a zip file that the malware extracts using the password “WNcry@2ol7”.

XIA-RESOUCE CONTENT

The files that are dropped from XIA resource section are -

  • msg folder

This folder contains ransom note in different languages.

  • b.wnry

Md5 Hash-c17170262312f3be7027bc2ca825bf0c

A bitmap file that displays a message as shown above.

  • c.wnry

Hash-ae08f79a0d800b82fcbe1b43cdbdbefc

It contains tor browser configuration and .onion domains listed below mainly for bitcoin transactions.

gx7ekbenv2riucmf.onion;

57g7spgrzlojinas.onion;

xxlvbrloxvriy2c5.onion;

76jdd2ir2embyv47.onion;

Cwwnhwhlz52maqm7.onion;

and uses https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip to download tor browser.

These are the bitcoin wallets that the attacker wants to receive the ransom.

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

One of the wallet is shown in the screenshot.

  • r.wnry

Hash-3e0020fc529b1c2a061016dd2469ba96

This file conatins instructions to be displayed to the user.

  • s.wnry

Md5 Hash-ad4c9de7c8c40813f200ba1c2fa33083

It also contains a zip file (PK signature) which has a tor executable in it.

  • t.wnry

Md5 Hash-5dcaac857e695a65f5c3ef1441a73a8f

It is a file with a wannacry signature and works as an encryption tool.

  • u.wnry

Md5 Hash-7bf2b57f2a205768755c07f238fb32cc

It is the decryption tool.

  • taskdl.exe

Md5 Hash-4fef5e34143e646dbf9907c4374276f5

It is executed every 30 seconds and is a support tool for removing temporary files.

  • taskse.exe

Launches the decryption tool.

The malware changes the attributes of the files after dropping them.

  • Uses “attrib +h” to hide the current working directory
  • attrib -allows an MS-DOS and Windows command line user to change the attribute of a file.
  • Uses “icacls . /grant Everyone: F /T /C /Q” to grants full access to files and folders.
  • icacls -allows changing access control lists for files and folders.

It encrypts the files with following extension.

Each time a file is encrypted, its extension changes to .WNRY

ENCRYPTION

It uses the Microsoft Enhanced RSA and AES Cryptographic Provider libraries to perform the encryption.

  • AES is used to encrypt the files with a symmetric AES-key and encrypted files are stored on the system with extension .WNCRY.
  • For each client a new pair of public and private key pair (RSA) is generated.
  • AES-key(client) is encrypted with newly generated RSA public key(client) which can be only be decrypted by client’s private key.
  • But client’s private is encrypted with server’s public key (Command and control server).
  • Client’s private key can only be decrypted by server’s private key or the master key(that the attacker holds) and in order to get server’s private key, pay the ransom.

When the AES-key is encrypted with the RSA public key, encrypted file’s path is written to f.wnry

f.wnry

00000000.pky- Client’s Public key.

pky

00000000.eky- Client’s Private key encrypted with server’s(attacker’s) or embedded public key.

eky

For decryption, user needs the master key(server’s private key) which can be obtained by paying a ransom which get doubled if the first timer expires .

ARSENAL

Ida Pro, x64dbg, PEStudio, Resource Hacker, Win Hex, Windows Network Monitor, Process Monitor.

--

--