Many researchers speculated the WannaCry authors to be Chinese speaking individuals Many security companies attributed nation-state actors to the Lazarus group. This group in the past was believed to have attacked Sony pictures and Bangladeshi banks. Initially, WannaCry demanded $300 for file recovery, but a kill switch domain registered saved many victims from being infected. This post will feature a complete analysis of WannaCryptor ransomware both from the dynamic and static point of view. The binary file of WannaCry ransomware is a very large file comparatively of another ransomware. Initial static analysis of binary file gives out the following cues:
Step 1. Dumping File Headers
Use the following command to dump PE headers: Dumpbin.exe ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa /HEADERS Microsoft (R) COFF/PE Dumper Version 10.00.30319.01 Copyright (C) Microsoft Corporation. All rights reserved. Dump of file ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa PE signature found File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (x86) 4 number of sections 4CE78F41 time date stamp Sat Nov 20 14:35:05 2010 0 file pointer to symbol table 0 number of symbols E0 size of optional header 10F characteristics Relocations stripped Executable Line numbers stripped Symbols stripped 32-bit word machine OPTIONAL HEADER VALUES 10B magic # (PE32) 6.00 linker version 7000 size of code 352000 size of initialized data 0 size of uninitialized data 77BA entry point (004077BA) 1000 base of code 8000 base of data 400000 image base (00400000 to 00759FFF) 1000 section alignment 1000 file alignment 4.00 operating system version 0.00 image version 4.00 subsystem version 0 Win32 version 35A000 size of image 1000 size of headers 0 checksum 2 subsystem (Windows GUI) 0 DLL characteristics 100000 size of stack reserve 1000 size of stack commit 100000 size of heap reserve 1000 size of heap commit 0 loader flags 10 number of directories 0 [ 0] RVA [size] of Export Directory D5A8 [ 64] RVA [size] of Import Directory 10000 [ 349FA0] RVA [size] of Resource Directory 0 [ 0] RVA [size] of Exception Directory 0 [ 0] RVA [size] of Certificates Directory 0 [ 0] RVA [size] of Base Relocation Directory 0 [ 0] RVA [size] of Debug Directory 0 [ 0] RVA [size] of Architecture Directory 0 [ 0] RVA [size] of Global Pointer Directory 0 [ 0] RVA [size] of Thread Storage Directory 0 [ 0] RVA [size] of Load Configuration Directory 0 [ 0] RVA [size] of Bound Import Directory 8000 [ 1D8] RVA [size] of Import Address Table Directory 0 [ 0] RVA [size] of Delay Import Directory 0 [ 0] RVA [size] of COM Descriptor Directory 0 [ 0] RVA [size] of Reserved Directory It has around four sections — .data, .rdata, .rcsc, .text which would be discussed in detail later.
Step 2. View Sections using PEHeaven
PE Heaven(http://www.heaventools.com/overview.htm) is an awesome tool for manipulating PE file headers and data. Using PE Heaven, we can view out the Imports to get a general idea of what this file is doing From this data, it is quite evident that this binary file will eventually load another binary from its resources
Step 3. Dump Strings from binary
Basic Strings from binary also give out some initial information about how binary would perform when executed, the type of actions it would perform, and any type of cryptography it will use to encrypt files Some important strings from the sample admin@home ~ $ strings ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa inflate 1.1.3 Copyright 1995-1998 Mark Adler – unzip 0.15 Copyright 1998 Gilles Vollant Following strings are part of compression library ( which will be discussed in part II ) which will be used to decompress another executable out. Inflate and Unzip are the libraries used in WannaCry for decompression. Other important strings, which are used in encryption are: Microsoft Enhanced RSA and AES Cryptographic Provider CryptGenKey CryptDecrypt CryptEncrypt CryptDestroyKey CryptImportKey CryptAcquireContextA WannaCry uses Microsoft’s internal Cryptographic libraries to encrypt and decrypt files using RSA and AES algorithm. These functions are used to generate random keys for encryption and later supplied to attackers. There are some strings related to command line code and mutex names GlobalMsWinZonesCacheCounterMutexA tasksche.exe TaskStart t.wnry icacls . /grant Everyone:F /T /C /Q attrib +h . “icacls,” are Microsoft Windows native command line utilities capable of displaying and modifying the security descriptors on folders and files. An access control list is a list of permissions for securable objects, such as a file or folder, that controls who can access it. MsWinZonesCacheCounterMutexA is the name of the mutex used for system identification. Certain strings mention about the multilingual capability of WannaCry msg/m_bulgarian.wnry msg/m_chinese (simplified).wnry msg/m_chinese (traditional).wnry msg/m_croatian.wnry msg/m_czech.wnry msg/m_danish.wnry msg/m_dutch.wnry msg/m_english.wnry msg/m_filipino.wnry msg/m_finnish.wnry msg/m_french.wnry msg/m_german.wnry msg/m_greek.wnry msg/m_indonesian.wnry msg/m_italian.wnry msg/m_japanese.wnry msg/m_korean.wnry msg/m_latvian.wnry msg/m_norwegian.wnry msg/m_polish.wnry msg/m_portuguese.wnry msg/m_romanian.wnry msg/m_russian.wnry msg/m_slovak.wnry msg/m_spanish.wnry msg/m_swedish.wnry msg/m_turkish.wnry msg/m_vietnamese.wnry
Step 4. using binvis.io to view file entropy
Let’s now have a look at what the entropy of binary reveals Go to http://www.binvis.io to generate PE file entropy online
It is quite evident from entropy that the executable file is densely packed and would certainly consist of some important data to be compressed or decrypted from resource section . As resource section being the biggest section of all 2000 .data 6000 .rdata 34A000 .rsrc 7000 .text It also has a version information section which masquerades it as a file from Microsoft operation system Child Type: StringFileInfo Language/Code Page: 1033/1200 CompanyName: Microsoft Corporation FileDescription: DiskPart FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850) InternalName: diskpart.exe LegalCopyright: © Microsoft Corporation. All rights reserved. OriginalFilename: diskpart.exe ProductName: Microsoft® Windows® Operating System ProductVersion: 6.1.7601.17514 Child Type: VarFileInfo Translation: 1033/1200
Step 5. Checking resources using Resource Hacker
Load file ion resource hacker tool(http://www.angusj.com/resourcehacker/) . Which is used to manipulate and view PE resources looking at the resource section it reveals some extract information about type of data stored in this section .
Step 6. Extracting embedded data using Binwalk
It contains the signature ‘PK’ which are the initials of a zip compressed data binwalk -e ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa running binwalk on binary gives the following result DECIMAL HEXADECIMAL DESCRIPTION ——————————————————————————– 0 0x0 Microsoft portable executable 52811 0xCE4B Copyright string: ” 1995-1998 Mark Adler “ 65776 0x100F0 Zip encrypted archive data, at least v2.0 to extract, compressed size: 14164, uncompressed size: 1440054, name: “b.wnry” 79976 0x13868 Zip encrypted archive data, at least v2.0 to extract, compressed size: 177, uncompressed size: 780, name: “c.wnry” 80189 0x1393D Zip encrypted archive data, at least v2.0 to extract, compressed size: 9404, uncompressed size: 47879, name: “msg/m_bulgarian.wnry” 89643 0x15E2B Zip encrypted archive data, at least v2.0 to extract, compressed size: 11044, uncompressed size: 54359, name: “msg/m_chinese (simplified).wnry” 100748 0x1898C Zip encrypted archive data, at least v2.0 to extract, compressed size: 11633, uncompressed size: 79346, name: “msg/m_chinese (traditional).wnry” 112443 0x1B73B Zip encrypted archive data, at least v2.0 to extract, compressed size: 8905, uncompressed size: 39070, name: “msg/m_croatian.wnry” 121397 0x1DA35 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9079, uncompressed size: 40512, name: “msg/m_czech.wnry” 130522 0x1FDDA Zip encrypted archive data, at least v2.0 to extract, compressed size: 8688, uncompressed size: 37045, name: “msg/m_danish.wnry” 139257 0x21FF9 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8694, uncompressed size: 36987, name: “msg/m_dutch.wnry” 147997 0x2421D Zip encrypted archive data, at least v2.0 to extract, compressed size: 8700, uncompressed size: 36973, name: “msg/m_english.wnry” 156745 0x26449 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8795, uncompressed size: 37580, name: “msg/m_filipino.wnry” 165589 0x286D5 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8786, uncompressed size: 38377, name: “msg/m_finnish.wnry” 174423 0x2A957 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8841, uncompressed size: 38437, name: “msg/m_french.wnry” 183311 0x2CC0F Zip encrypted archive data, at least v2.0 to extract, compressed size: 8787, uncompressed size: 37181, name: “msg/m_german.wnry” 192145 0x2EE91 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9554, uncompressed size: 49044, name: “msg/m_greek.wnry” 201745 0x31411 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8691, uncompressed size: 37196, name: “msg/m_indonesian.wnry” 210487 0x33637 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8735, uncompressed size: 36883, name: “msg/m_italian.wnry” 219270 0x35886 Zip encrypted archive data, at least v2.0 to extract, compressed size: 11242, uncompressed size: 81844, name: “msg/m_japanese.wnry” 230561 0x384A1 Zip encrypted archive data, at least v2.0 to extract, compressed size: 11209, uncompressed size: 91501, name: “msg/m_korean.wnry” 241817 0x3B099 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9023, uncompressed size: 41169, name: “msg/m_latvian.wnry” 250888 0x3D408 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8707, uncompressed size: 37577, name: “msg/m_norwegian.wnry” 259645 0x3F63D Zip encrypted archive data, at least v2.0 to extract, compressed size: 8950, uncompressed size: 39896, name: “msg/m_polish.wnry” 268642 0x41962 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8752, uncompressed size: 37917, name: “msg/m_portuguese.wnry” 277445 0x43BC5 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9499, uncompressed size: 52161, name: “msg/m_romanian.wnry” 286993 0x46111 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9419, uncompressed size: 47108, name: “msg/m_russian.wnry” 296460 0x4860C Zip encrypted archive data, at least v2.0 to extract, compressed size: 9124, uncompressed size: 41391, name: “msg/m_slovak.wnry” 305631 0x4A9DF Zip encrypted archive data, at least v2.0 to extract, compressed size: 8727, uncompressed size: 37381, name: “msg/m_spanish.wnry” 314406 0x4CC26 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8771, uncompressed size: 38483, name: “msg/m_swedish.wnry” 323225 0x4EE99 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9084, uncompressed size: 42582, name: “msg/m_turkish.wnry” 332357 0x51245 Zip encrypted archive data, at least v2.0 to extract, compressed size: 11224, uncompressed size: 93778, name: “msg/m_vietnamese.wnry” 343632 0x53E50 Zip encrypted archive data, at least v2.0 to extract, compressed size: 484, uncompressed size: 864, name: “r.wnry” 344152 0x54058 Zip encrypted archive data, at least v2.0 to extract, compressed size: 3009375, uncompressed size: 3038286, name: “s.wnry” 3353563 0x332BDB Zip encrypted archive data, at least v2.0 to extract, compressed size: 65828, uncompressed size: 65816, name: “t.wnry” 3419427 0x342D23 Zip encrypted archive data, at least v2.0 to extract, compressed size: 3457, uncompressed size: 20480, name: “taskdl.exe” 3422924 0x343ACC Zip encrypted archive data, at least v2.0 to extract, compressed size: 2555, uncompressed size: 20480, name: “taskse.exe” 3425519 0x3444EF Zip encrypted archive data, at least v2.0 to extract, compressed size: 82980, uncompressed size: 245760, name: “u.wnry” 3509363 0x358C73 LZMA compressed data, properties: 0x90, dictionary size: 1048576 bytes, uncompressed size: 36 bytes 3509960 0x358EC8 LZMA compressed data, properties: 0xBF, dictionary size: 1048576 bytes, uncompressed size: 36 bytes 3512079 0x35970F End of Zip archive
Step 7. Submitting PE file for dynamic analysis
(From https://www.hybrid-analysis.com) Upload your file on https://www.hybrid-analysis.com
Contains a remote desktop related string Reads terminal service related keys (often RDP related) Uses network protocols on unusual ports Deletes volume snapshots (often used by ransomware) Detected indicator that file is ransomware Disables startup repair Grants permissions using icacls (DACL modification) Modifies auto-execute functionality by setting/creating a value in the registry Spawns a lot of processes Tries to suppress failures during boot (often used to hide system changes) Found a dropped file containing the Windows username (possible fingerprint attempt) Reads system information using Windows Management Instrumentation Command-line (WMIC) Reads the active computer name Reads the cryptographic machine GUID Opens the MountPointManager (often used to detect additional infection locations) Contacts 14 hosts. Hybrid-analysis sandbox was successfully able to detect this is a ransomware Trojan. It presents us with a screen-shot of desktop after file was successfully executed in a controlled environment
This presents out display background of ransomware after it has infected a victim and is asking for a ransom. Another section which gives out the flow of execution help in determining following events
Install path Commands executed Registry keys created
This image shows where the registry run key was created, which CMD.exe commands were executed and other exes were run. The network analysis section gives out details about any network traffic generated by WannaCry.
171.25.193.9 TCP taskhsvc.exe PID: 3936 Sweden we can further download any extracted files or executed files during the runtime of WannaCry.
Step 8. Setting up debugging environment
Download Binary-Ninja Load the binary file in binary ninja
Dynamic analysis can be instrumental in determining the runtime behavior of a ransomware sample, but to deep dive static analysis is needed. Static code analysis would help us determine the behavior of WannaCry and any specific technical details which cover, but not limited to technical details
Packers and obfuscation 2: Encryption keys and Encryption algorithms Hidden functionality Kill switches relevant to WannaCry
Binary ninja (https://binary.ninja/) is a machine code static analysis tool like IDA. We will be using Binary ninja to perform static code analysis on WannaCry sample if we open WannaCry sample in binaryninja, we come to know that WannaCry has been written in Visual C++. PEiD can also be used to determine if any packers have been used.
Step 9. Loading a file in PEiD for compiler detection
Download PEiD 0.95 Load the binary file by clicking on … button Check the output results
WannaCry sets up a display name which will be used as an installer file name if the number of arguments is more than 2, which means it has already been copied it skips this step and stars executing other parts of the code.
the file gets copied in %programdata% lea eax, [ebp+Buffer] push eax ; Format lea eax, [ebp+String] push offset aSIntel ; “%sIntel” push eax ; String call edi ; swprintf push [ebp+arg_0] ; String lea eax, [ebp+WideCharStr] push eax ; lpFileName lea eax, [ebp+String] push eax ; lpPathName call CreateDirectory add esp, 18h test eax, eax After this step, it creates a window service and starts the service loc_401D45: push [ebp+arg_0] lea eax, [ebp+Dest] ; filename push offset Format ; “cmd.exe /c “%s”” push eax ; Dest call ds:sprintf add esp, 0Ch lea eax, [ebp+Dest] push edi ; lpPassword push edi ; lpServiceStartName push edi ; lpDependencies push edi ; lpdwTagId push edi ; lpLoadOrderGroup push eax ; lpBinaryPathName push 1 ; dwErrorControl push 2 ; dwStartType push 10h ; dwServiceType push ebx ; dwDesiredAccess push esi ; lpDisplayName push esi ; lpServiceName push [ebp+hSCManager] ; hSCManager call ds:CreateServiceA A configuration file named c.wnry is written which contains configuration used to connect to command and control servers which includes tor addresses and Bitcoin addresses for payment. push 1 ; read push eax ; DstBuf mov [ebp+Source], offset a13am4vw2dhxygx ; “13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94” mov [ebp+var_8], offset a12t9ydpgwuez9n ; “12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw” mov [ebp+var_4], offset a115p7ummngoj1p ; “115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn” call WriteConfigurationFile pop ecx test eax, eax pop ecx jz short locret_401EFD Meanwhile, a resource is loaded which will be later decompressed and will eventually contain “tasksche.exe” binary resource push ebp mov ebp, esp sub esp, 12Ch push esi push edi push offset Type ; “XIA” push 80Ah ; lpName push [ebp+hModule] ; hModule call ds:FindResourceA New service will be named as “Microsoft Security Center (2.0) Service”. This resource buffer is ZIP decompressed using ‘WNcry@2ol7‘ password mov [esp+6F4h+Str], offset Str ; “WNcry@2ol7” push ebx ; hModule call Decompress Module is loaded in-memory and a function ‘TaskStart ‘ is called to begin the second stage of infection push offset Str1 ; “TaskStart” push eax ; int call LocateExportFunction List of TOR c2 servers found in the binary are: gx7ekbenv2riucmf.onion; 57g7spgrzlojinas.onion; xxlvbrloxvriy2c5.onion; 76jdd2ir2embyv47.onion; cwwnhwhlz52maqm7.onion; These servers are contacted to supply private key used to encrypts files. Files are saved in ‘wnry’ format.
(WannaCry File Targets. Image Source: SecureWorks)
