WannaCry Analysis

WannaCry

Before analyzing this malware make sure you do these steps-

  • Use virtual machine for your analysis.
  • Don’t forget to take snapshot of your VM so that if something goes wrong, its state could be retrieved.

ANALYSIS

  • BEACON
  • SERVICE
Service Creation.
  • RESOURCE SECTION
  • EXTRACTING files from ‘R’
Resource Section-”R”
  • R
Resources Section of Tasksche.e

XIA-RESOUCE CONTENT

  • msg folder
  • b.wnry
  • c.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • u.wnry
  • taskdl.exe
  • taskse.exe
  • Uses “attrib +h” to hide the current working directory
  • attrib -allows an MS-DOS and Windows command line user to change the attribute of a file.
  • Uses “icacls . /grant Everyone: F /T /C /Q” to grants full access to files and folders.
  • icacls -allows changing access control lists for files and folders.

ENCRYPTION

  • AES is used to encrypt the files with a symmetric AES-key and encrypted files are stored on the system with extension .WNCRY.
  • For each client a new pair of public and private key pair (RSA) is generated.
  • AES-key(client) is encrypted with newly generated RSA public key(client) which can be only be decrypted by client’s private key.
  • But client’s private is encrypted with server’s public key (Command and control server).
  • Client’s private key can only be decrypted by server’s private key or the master key(that the attacker holds) and in order to get server’s private key, pay the ransom.
f.wnry
pky
eky

ARSENAL

--

--

--

Security Analyst @IBM https://www.linkedin.com/in/preet-kamal-b61385132/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A quick OSINT investigation into a web site run by ID scammers

{UPDATE} ゲシュタルト崩壊 Hack Free Resources Generator

Coinbase continues to explore support for new digital assets

Privacy in the Digital Age

Basics for Information security

Last Week In Blockchain and CyberSecurity News — April 2, 2019

⭐️ PUMP IT UP: 130% more $NODL Crowdloan Bonus ⭐️

Windows High Privilege User Monitoring

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Preet kamal

Preet kamal

Security Analyst @IBM https://www.linkedin.com/in/preet-kamal-b61385132/

More from Medium

WiCYS CyberStart (Tokyo) Challenge 1

VulnHub: Empire: Breakout

Malicious Batch file Analysis

DoubleZero Malware: Behavioral Analysis