WannaCryptor was a global ransomware outbreak which created chaos on May 12-2017. Initially, it propagated using EternalBlue exploit released by the Shadow Brokers.

Many researchers speculated the WannaCry authors to be Chinese speaking individuals

Many security companies attributed nation-state actors to the Lazarus group. This group in the past was believed to have attacked Sony pictures and Bangladeshi banks.

Initially, WannaCry demanded $300 for file recovery, but a kill switch domain registered saved many victims from being infected.

This post will feature a complete analysis of WannaCryptor ransomware both from the dynamic and static point of view.

Binary file overview

The binary file of WannaCry ransomware is a very large file comparatively of another ransomware. Initial static analysis of binary file gives out the following cues:

Step 1. Dumping File Headers

Use the following command to dump PE headers:

Dumpbin.exe ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa /HEADERS

Microsoft (R) COFF/PE Dumper Version 10.00.30319.01

Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES

14C machine (x86)

4 number of sections

4CE78F41 time date stamp Sat Nov 20 14:35:05 2010

0 file pointer to symbol table

0 number of symbols

E0 size of optional header

10F characteristics

Relocations stripped

Executable

Line numbers stripped

Symbols stripped

32-bit word machine

OPTIONAL HEADER VALUES

10B magic # (PE32)

6.00 linker version

7000 size of code

352000 size of initialized data

0 size of uninitialized data

77BA entry point (004077BA)

1000 base of code

8000 base of data

400000 image base (00400000 to 00759FFF)

1000 section alignment

1000 file alignment

4.00 operating system version

0.00 image version

4.00 subsystem version

0 Win32 version

35A000 size of image

1000 size of headers

0 checksum

2 subsystem (Windows GUI)

0 DLL characteristics

100000 size of stack reserve

1000 size of stack commit

100000 size of heap reserve

1000 size of heap commit

0 loader flags

10 number of directories

0 [ 0] RVA [size] of Export Directory

D5A8 [ 64] RVA [size] of Import Directory

10000 [ 349FA0] RVA [size] of Resource Directory

0 [ 0] RVA [size] of Exception Directory

0 [ 0] RVA [size] of Certificates Directory

0 [ 0] RVA [size] of Base Relocation Directory

0 [ 0] RVA [size] of Debug Directory

0 [ 0] RVA [size] of Architecture Directory

0 [ 0] RVA [size] of Global Pointer Directory

0 [ 0] RVA [size] of Thread Storage Directory

0 [ 0] RVA [size] of Load Configuration Directory

0 [ 0] RVA [size] of Bound Import Directory

8000 [ 1D8] RVA [size] of Import Address Table Directory

0 [ 0] RVA [size] of Delay Import Directory

0 [ 0] RVA [size] of COM Descriptor Directory

0 [ 0] RVA [size] of Reserved Directory

It has around four sections — .data, .rdata, .rcsc, .text which would be discussed in detail later.

Step 2. View Sections using PEHeaven

PE Heaven(http://www.heaventools.com/overview.htm) is an awesome tool for manipulating PE file headers and data. Using PE Heaven, we can view out the Imports to get a general idea of what this file is doing

From this data, it is quite evident that this binary file will eventually load another binary from its resources

Step 3. Dump Strings from binary

Basic Strings from binary also give out some initial information about how binary would perform when executed, the type of actions it would perform, and any type of cryptography it will use to encrypt files

Some important strings from the sample

admin@home ~ $ strings ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

inflate 1.1.3 Copyright 1995-1998 Mark Adler

– unzip 0.15 Copyright 1998 Gilles Vollant

Following strings are part of compression library ( which will be discussed in part II ) which will be used to decompress another executable out. Inflate and Unzip are the libraries used in WannaCry for decompression.

Other important strings, which are used in encryption are:

Microsoft Enhanced RSA and AES Cryptographic Provider

CryptGenKey

CryptDecrypt

CryptEncrypt

CryptDestroyKey

CryptImportKey

CryptAcquireContextA

WannaCry uses Microsoft’s internal Cryptographic libraries to encrypt and decrypt files using RSA and AES algorithm. These functions are used to generate random keys for encryption and later supplied to attackers.

There are some strings related to command line code and mutex names

Global\MsWinZonesCacheCounterMutexA

tasksche.exe

TaskStart

t.wnry

icacls . /grant Everyone:F /T /C /Q

attrib +h .

“icacls,” are Microsoft Windows native command line utilities capable of displaying and modifying the security descriptors on folders and files. An access control list is a list of permissions for securable objects, such as a file or folder, that controls who can access it.

MsWinZonesCacheCounterMutexA is the name of the mutex used for system identification.

Certain strings mention about the multilingual capability of WannaCry

msg/m_bulgarian.wnry

msg/m_chinese (simplified).wnry

msg/m_chinese (traditional).wnry

msg/m_croatian.wnry

msg/m_czech.wnry

msg/m_danish.wnry

msg/m_dutch.wnry

msg/m_english.wnry

msg/m_filipino.wnry

msg/m_finnish.wnry

msg/m_french.wnry

msg/m_german.wnry

msg/m_greek.wnry

msg/m_indonesian.wnry

msg/m_italian.wnry

msg/m_japanese.wnry

msg/m_korean.wnry

msg/m_latvian.wnry

msg/m_norwegian.wnry

msg/m_polish.wnry

msg/m_portuguese.wnry

msg/m_romanian.wnry

msg/m_russian.wnry

msg/m_slovak.wnry

msg/m_spanish.wnry

msg/m_swedish.wnry

msg/m_turkish.wnry

msg/m_vietnamese.wnry

Step 4. using binvis.io to view file entropy

Let’s now have a look at what the entropy of binary reveals

Go to http://www.binvis.io to generate PE file entropy online

It is quite evident from entropy that the executable file is densely packed and would certainly consist of some important data to be compressed or decrypted from resource section . As resource section being the biggest section of all

2000 .data

6000 .rdata

34A000 .rsrc

7000 .text

It also has a version information section which masquerades it as a file from Microsoft operation system

Child Type: StringFileInfo

Language/Code Page: 1033/1200

CompanyName: Microsoft Corporation

FileDescription: DiskPart

FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

InternalName: diskpart.exe

LegalCopyright: © Microsoft Corporation. All rights reserved.

OriginalFilename: diskpart.exe

ProductName: Microsoft® Windows® Operating System

ProductVersion: 6.1.7601.17514

Child Type: VarFileInfo

Translation: 1033/1200

Step 5. Checking resources using Resource Hacker

Load file ion resource hacker tool(http://www.angusj.com/resourcehacker/) . Which is used to manipulate and view PE resources looking at the resource section it reveals some extract information about type of data stored in this section .

Step 6. Extracting embedded data using Binwalk

It contains the signature ‘PK’ which are the initials of a zip compressed data

binwalk -e ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

running binwalk on binary gives the following result

DECIMAL HEXADECIMAL DESCRIPTION

——————————————————————————–

0 0x0 Microsoft portable executable

52811 0xCE4B Copyright string: ” 1995-1998 Mark Adler ”

65776 0x100F0 Zip encrypted archive data, at least v2.0 to extract, compressed size: 14164, uncompressed size: 1440054, name: “b.wnry”

79976 0x13868 Zip encrypted archive data, at least v2.0 to extract, compressed size: 177, uncompressed size: 780, name: “c.wnry”

80189 0x1393D Zip encrypted archive data, at least v2.0 to extract, compressed size: 9404, uncompressed size: 47879, name: “msg/m_bulgarian.wnry”

89643 0x15E2B Zip encrypted archive data, at least v2.0 to extract, compressed size: 11044, uncompressed size: 54359, name: “msg/m_chinese (simplified).wnry”

100748 0x1898C Zip encrypted archive data, at least v2.0 to extract, compressed size: 11633, uncompressed size: 79346, name: “msg/m_chinese (traditional).wnry”

112443 0x1B73B Zip encrypted archive data, at least v2.0 to extract, compressed size: 8905, uncompressed size: 39070, name: “msg/m_croatian.wnry”

121397 0x1DA35 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9079, uncompressed size: 40512, name: “msg/m_czech.wnry”

130522 0x1FDDA Zip encrypted archive data, at least v2.0 to extract, compressed size: 8688, uncompressed size: 37045, name: “msg/m_danish.wnry”

139257 0x21FF9 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8694, uncompressed size: 36987, name: “msg/m_dutch.wnry”

147997 0x2421D Zip encrypted archive data, at least v2.0 to extract, compressed size: 8700, uncompressed size: 36973, name: “msg/m_english.wnry”

156745 0x26449 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8795, uncompressed size: 37580, name: “msg/m_filipino.wnry”

165589 0x286D5 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8786, uncompressed size: 38377, name: “msg/m_finnish.wnry”

174423 0x2A957 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8841, uncompressed size: 38437, name: “msg/m_french.wnry”

183311 0x2CC0F Zip encrypted archive data, at least v2.0 to extract, compressed size: 8787, uncompressed size: 37181, name: “msg/m_german.wnry”

192145 0x2EE91 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9554, uncompressed size: 49044, name: “msg/m_greek.wnry”

201745 0x31411 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8691, uncompressed size: 37196, name: “msg/m_indonesian.wnry”

210487 0x33637 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8735, uncompressed size: 36883, name: “msg/m_italian.wnry”

219270 0x35886 Zip encrypted archive data, at least v2.0 to extract, compressed size: 11242, uncompressed size: 81844, name: “msg/m_japanese.wnry”

230561 0x384A1 Zip encrypted archive data, at least v2.0 to extract, compressed size: 11209, uncompressed size: 91501, name: “msg/m_korean.wnry”

241817 0x3B099 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9023, uncompressed size: 41169, name: “msg/m_latvian.wnry”

250888 0x3D408 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8707, uncompressed size: 37577, name: “msg/m_norwegian.wnry”

259645 0x3F63D Zip encrypted archive data, at least v2.0 to extract, compressed size: 8950, uncompressed size: 39896, name: “msg/m_polish.wnry”

268642 0x41962 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8752, uncompressed size: 37917, name: “msg/m_portuguese.wnry”

277445 0x43BC5 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9499, uncompressed size: 52161, name: “msg/m_romanian.wnry”

286993 0x46111 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9419, uncompressed size: 47108, name: “msg/m_russian.wnry”

296460 0x4860C Zip encrypted archive data, at least v2.0 to extract, compressed size: 9124, uncompressed size: 41391, name: “msg/m_slovak.wnry”

305631 0x4A9DF Zip encrypted archive data, at least v2.0 to extract, compressed size: 8727, uncompressed size: 37381, name: “msg/m_spanish.wnry”

314406 0x4CC26 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8771, uncompressed size: 38483, name: “msg/m_swedish.wnry”

323225 0x4EE99 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9084, uncompressed size: 42582, name: “msg/m_turkish.wnry”

332357 0x51245 Zip encrypted archive data, at least v2.0 to extract, compressed size: 11224, uncompressed size: 93778, name: “msg/m_vietnamese.wnry”

343632 0x53E50 Zip encrypted archive data, at least v2.0 to extract, compressed size: 484, uncompressed size: 864, name: “r.wnry”

344152 0x54058 Zip encrypted archive data, at least v2.0 to extract, compressed size: 3009375, uncompressed size: 3038286, name: “s.wnry”

3353563 0x332BDB Zip encrypted archive data, at least v2.0 to extract, compressed size: 65828, uncompressed size: 65816, name: “t.wnry”

3419427 0x342D23 Zip encrypted archive data, at least v2.0 to extract, compressed size: 3457, uncompressed size: 20480, name: “taskdl.exe”

3422924 0x343ACC Zip encrypted archive data, at least v2.0 to extract, compressed size: 2555, uncompressed size: 20480, name: “taskse.exe”

3425519 0x3444EF Zip encrypted archive data, at least v2.0 to extract, compressed size: 82980, uncompressed size: 245760, name: “u.wnry”

3509363 0x358C73 LZMA compressed data, properties: 0x90, dictionary size: 1048576 bytes, uncompressed size: 36 bytes

3509960 0x358EC8 LZMA compressed data, properties: 0xBF, dictionary size: 1048576 bytes, uncompressed size: 36 bytes

3512079 0x35970F End of Zip archive


Step 7. Submitting PE file for dynamic analysis

(From https://www.hybrid-analysis.com)

Upload your file on https://www.hybrid-analysis.com

Ethical Hacking Training – Resources (InfoSec)

Contains a remote desktop related string

Reads terminal service related keys (often RDP related)
Uses network protocols on unusual ports

Deletes volume snapshots (often used by ransomware)
Detected indicator that file is ransomware

Disables startup repair
Grants permissions using icacls (DACL modification)
Modifies auto-execute functionality by setting/creating a value in the registry
Spawns a lot of processes
Tries to suppress failures during boot (often used to hide system changes)

Found a dropped file containing the Windows username (possible fingerprint attempt)
Reads system information using Windows Management Instrumentation Command-line (WMIC)
Reads the active computer name
Reads the cryptographic machine GUID

Opens the MountPointManager (often used to detect additional infection locations)

Contacts 14 hosts.

Hybrid-analysis sandbox was successfully able to detect this is a ransomware Trojan.

It presents us with a screen-shot of desktop after file was successfully executed in a controlled environment

This presents out display background of ransomware after it has infected a victim and is asking for a ransom.

Another section which gives out the flow of execution help in determining following events

  1. Install path
  2. Commands executed
  3. Registry keys created

This image shows where the registry run key was created, which CMD.exe commands were executed and other exes were run.

The network analysis section gives out details about any network traffic generated by WannaCry.

171.25.193.9 TCP    taskhsvc.exe PID: 3936    Sweden

we can further download any extracted files or executed files during the runtime of WannaCry.

Step 8. Setting up debugging environment

  1. Download Binary-Ninja
  2. Load the binary file in binary ninja

Dynamic analysis can be instrumental in determining the runtime behavior of a ransomware sample, but to deep dive static analysis is needed. Static code analysis would help us determine the behavior of WannaCry and any specific technical details which cover, but not limited to technical details

  1. Packers and obfuscation
  2. 2: Encryption keys and Encryption algorithms
  3. Hidden functionality
  4. Kill switches relevant to WannaCry

Binary ninja (https://binary.ninja/) is a machine code static analysis tool like IDA. We will be using Binary ninja to perform static code analysis on WannaCry sample if we open WannaCry sample in binaryninja, we come to know that WannaCry has been written in Visual C++. PEiD can also be used to determine if any packers have been used.

Step 9. Loading a file in PEiD for compiler detection

  1. Download PEiD 0.95
  2. Load the binary file by clicking on … button
  3. Check the output results

WannaCry sets up a display name which will be used as an installer file name if the number of arguments is more than 2, which means it has already been copied it skips this step and stars executing other parts of the code.

the file gets copied in %programdata%

lea eax, [ebp+Buffer]

push eax ; Format

lea eax, [ebp+String]

push
offset aSIntel ; “%s\\Intel”

push eax ; String

call edi ; swprintf

push [ebp+arg_0] ; String

lea eax, [ebp+WideCharStr]

push eax ; lpFileName

lea eax, [ebp+String]

push eax ; lpPathName

call CreateDirectory

add esp, 18h

test eax, eax

After this step, it creates a window service and starts the service

loc_401D45:

push [ebp+arg_0]

lea eax, [ebp+Dest] ; filename

push
offset Format ; “cmd.exe /c \”%s\””

push eax ; Dest

call ds:sprintf

add esp, 0Ch

lea eax, [ebp+Dest]

push edi ; lpPassword

push edi ; lpServiceStartName

push edi ; lpDependencies

push edi ; lpdwTagId

push edi ; lpLoadOrderGroup

push eax ; lpBinaryPathName

push 1 ; dwErrorControl

push 2 ; dwStartType

push 10h ; dwServiceType

push ebx ; dwDesiredAccess

push esi ; lpDisplayName

push esi ; lpServiceName

push [ebp+hSCManager] ; hSCManager

call ds:CreateServiceA

A configuration file named c.wnry is written which contains configuration used to connect to command and control servers which includes tor addresses and Bitcoin addresses for payment.

push 1 ; read

push eax ; DstBuf

mov [ebp+Source], offset a13am4vw2dhxygx ; “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94”

mov [ebp+var_8], offset a12t9ydpgwuez9n ; “12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw”

mov [ebp+var_4], offset a115p7ummngoj1p ; “115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn”

call WriteConfigurationFile

pop ecx

test eax, eax

pop ecx

jz short locret_401EFD

Meanwhile, a resource is loaded which will be later decompressed and will eventually contain “tasksche.exe” binary resource

push ebp

mov ebp, esp

sub esp, 12Ch

push esi

push edi

push
offset Type ; “XIA”

push 80Ah ; lpName

push [ebp+hModule] ; hModule

call ds:FindResourceA

New service will be named as “Microsoft Security Center (2.0) Service”.

This resource buffer is ZIP decompressed using ‘WNcry@2ol7‘ password

mov [esp+6F4h+Str], offset Str ; “WNcry@2ol7”

push ebx ; hModule

call Decompress

Module is loaded in-memory and a function ‘TaskStart ‘ is called to begin the second stage of infection

push
offset Str1 ; “TaskStart”

push eax ; int

call LocateExportFunction

List of TOR c2 servers found in the binary are:

gx7ekbenv2riucmf.onion;

57g7spgrzlojinas.onion;
xxlvbrloxvriy2c5.onion;

76jdd2ir2embyv47.onion;

cwwnhwhlz52maqm7.onion;

These servers are contacted to supply private key used to encrypts files. Files are saved in ‘wnry’ format.

(WannaCry File Targets. Image Source: SecureWorks)