Wannacry - A ransomware cryptoworm which affected more than 200,000 computers across 150 countries by encrypting data and demanding ransom payments in Bitcoin cryptocurrency. It spreads through network by exploiting a vulnerability in SMB(Server Message Block) protocol, MS17–010.
Before analyzing this malware make sure you do these steps-
- Use virtual machine for your analysis.
- Don’t forget to take snapshot of your VM so that if something goes wrong, its state could be retrieved.
File Info-PE32 executable (GUI) Intel 80386, for MS Windows
Initially, the malware tries to connect to a domain, i.e http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com If the connection is successful, the malware exits, but now this domain has been sinkholed by security researchers to act as a kill switch and to minimize the infection and spreading of it.
If the connection is not successful, it creates a service “Microsoft Security Center (2.0) Service” as “mssecsvc2.0”
- RESOURCE SECTION
Analyzing the malware with PeStudio shows the resource section named ‘R’ is executable which means the resource section may contain another file.
- EXTRACTING files from ‘R’
The malware writes data to tasksche.exe form its resource section named “R” and then copy it to C:\Windows\tasksche.exe and use MoveFileExA to copy it as C:\Windows\qeriuwjhrf.
Its Resource section also looks suspicious as it contains a file “XIA” with PK signature which implies it is a zip file that the malware extracts using the password “WNcry@2ol7”.
The files that are dropped from XIA resource section are -
- msg folder
This folder contains ransom note in different languages.
A bitmap file that displays a message as shown above.
It contains tor browser configuration and .onion domains listed below mainly for bitcoin transactions.
and uses https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip to download tor browser.
These are the bitcoin wallets that the attacker wants to receive the ransom.
One of the wallet is shown in the screenshot.
This file conatins instructions to be displayed to the user.
It also contains a zip file (PK signature) which has a tor executable in it.
It is a file with a wannacry signature and works as an encryption tool.
It is the decryption tool.
It is executed every 30 seconds and is a support tool for removing temporary files.
Launches the decryption tool.
The malware changes the attributes of the files after dropping them.
- Uses “attrib +h” to hide the current working directory
- attrib -allows an MS-DOS and Windows command line user to change the attribute of a file.
- Uses “icacls . /grant Everyone: F /T /C /Q” to grants full access to files and folders.
- icacls -allows changing access control lists for files and folders.
It encrypts the files with following extension.
Each time a file is encrypted, its extension changes to .WNRY
It uses the Microsoft Enhanced RSA and AES Cryptographic Provider libraries to perform the encryption.
- AES is used to encrypt the files with a symmetric AES-key and encrypted files are stored on the system with extension .WNCRY.
- For each client a new pair of public and private key pair (RSA) is generated.
- AES-key(client) is encrypted with newly generated RSA public key(client) which can be only be decrypted by client’s private key.
- But client’s private is encrypted with server’s public key (Command and control server).
- Client’s private key can only be decrypted by server’s private key or the master key(that the attacker holds) and in order to get server’s private key, pay the ransom.
When the AES-key is encrypted with the RSA public key, encrypted file’s path is written to f.wnry
00000000.pky- Client’s Public key.
00000000.eky- Client’s Private key encrypted with server’s(attacker’s) or embedded public key.
For decryption, user needs the master key(server’s private key) which can be obtained by paying a ransom which get doubled if the first timer expires .
Ida Pro, x64dbg, PEStudio, Resource Hacker, Win Hex, Windows Network Monitor, Process Monitor.