full screen background image
Search
Monday 11 December 2017
  • :
  • :

WannaCryptor Analysis

WannaCryptor was a global ransomware outbreak which created chaos on May 12-2017. Initially, it propagated using EternalBlue exploit released by the Shadow Brokers.

Many researchers speculated the WannaCry authors to be Chinese speaking individuals

Many security companies attributed nation-state actors to the Lazarus group. This group in the past was believed to have attacked Sony pictures and Bangladeshi banks.

Initially, WannaCry demanded $300 for file recovery, but a kill switch domain registered saved many victims from being infected.

This post will feature a complete analysis of WannaCryptor ransomware both from the dynamic and static point of view.

Binary file overview

The binary file of WannaCry ransomware is a very large file comparatively of another ransomware. Initial static analysis of binary file gives out the following cues:

Step 1. Dumping File Headers

Use the following command to dump PE headers:

Dumpbin.exe ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa /HEADERS

Microsoft (R) COFF/PE Dumper Version 10.00.30319.01

Copyright (C) Microsoft Corporation. All rights reserved.

Dump of file ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

PE signature found

File Type: EXECUTABLE IMAGE

FILE HEADER VALUES

14C machine (x86)

4 number of sections

4CE78F41 time date stamp Sat Nov 20 14:35:05 2010

0 file pointer to symbol table

0 number of symbols

E0 size of optional header

10F characteristics

Relocations stripped

Executable

Line numbers stripped

Symbols stripped

32-bit word machine

OPTIONAL HEADER VALUES

10B magic # (PE32)

6.00 linker version

7000 size of code

352000 size of initialized data

0 size of uninitialized data

77BA entry point (004077BA)

1000 base of code

8000 base of data

400000 image base (00400000 to 00759FFF)

1000 section alignment

1000 file alignment

4.00 operating system version

0.00 image version

4.00 subsystem version

0 Win32 version

35A000 size of image

1000 size of headers

0 checksum

2 subsystem (Windows GUI)

0 DLL characteristics

100000 size of stack reserve

1000 size of stack commit

100000 size of heap reserve

1000 size of heap commit

0 loader flags

10 number of directories

0 [ 0] RVA [size] of Export Directory

D5A8 [ 64] RVA [size] of Import Directory

10000 [ 349FA0] RVA [size] of Resource Directory

0 [ 0] RVA [size] of Exception Directory

0 [ 0] RVA [size] of Certificates Directory

0 [ 0] RVA [size] of Base Relocation Directory

0 [ 0] RVA [size] of Debug Directory

0 [ 0] RVA [size] of Architecture Directory

0 [ 0] RVA [size] of Global Pointer Directory

0 [ 0] RVA [size] of Thread Storage Directory

0 [ 0] RVA [size] of Load Configuration Directory

0 [ 0] RVA [size] of Bound Import Directory

8000 [ 1D8] RVA [size] of Import Address Table Directory

0 [ 0] RVA [size] of Delay Import Directory

0 [ 0] RVA [size] of COM Descriptor Directory

0 [ 0] RVA [size] of Reserved Directory

It has around four sections — .data, .rdata, .rcsc, .text which would be discussed in detail later.

Step 2. View Sections using PEHeaven

PE Heaven(http://www.heaventools.com/overview.htm) is an awesome tool for manipulating PE file headers and data. Using PE Heaven, we can view out the Imports to get a general idea of what this file is doing

From this data, it is quite evident that this binary file will eventually load another binary from its resources

Step 3. Dump Strings from binary

Basic Strings from binary also give out some initial information about how binary would perform when executed, the type of actions it would perform, and any type of cryptography it will use to encrypt files

Some important strings from the sample

admin@home ~ $ strings ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

inflate 1.1.3 Copyright 1995-1998 Mark Adler

– unzip 0.15 Copyright 1998 Gilles Vollant

Following strings are part of compression library ( which will be discussed in part II ) which will be used to decompress another executable out. Inflate and Unzip are the libraries used in WannaCry for decompression.

Other important strings, which are used in encryption are:

Microsoft Enhanced RSA and AES Cryptographic Provider

CryptGenKey

CryptDecrypt

CryptEncrypt

CryptDestroyKey

CryptImportKey

CryptAcquireContextA

WannaCry uses Microsoft’s internal Cryptographic libraries to encrypt and decrypt files using RSA and AES algorithm. These functions are used to generate random keys for encryption and later supplied to attackers.

There are some strings related to command line code and mutex names

Global\MsWinZonesCacheCounterMutexA

tasksche.exe

TaskStart

t.wnry

icacls . /grant Everyone:F /T /C /Q

attrib +h .

“icacls,” are Microsoft Windows native command line utilities capable of displaying and modifying the security descriptors on folders and files. An access control list is a list of permissions for securable objects, such as a file or folder, that controls who can access it.

MsWinZonesCacheCounterMutexA is the name of the mutex used for system identification.

Certain strings mention about the multilingual capability of WannaCry

msg/m_bulgarian.wnry

msg/m_chinese (simplified).wnry

msg/m_chinese (traditional).wnry

msg/m_croatian.wnry

msg/m_czech.wnry

msg/m_danish.wnry

msg/m_dutch.wnry

msg/m_english.wnry

msg/m_filipino.wnry

msg/m_finnish.wnry

msg/m_french.wnry

msg/m_german.wnry

msg/m_greek.wnry

msg/m_indonesian.wnry

msg/m_italian.wnry

msg/m_japanese.wnry

msg/m_korean.wnry

msg/m_latvian.wnry

msg/m_norwegian.wnry

msg/m_polish.wnry

msg/m_portuguese.wnry

msg/m_romanian.wnry

msg/m_russian.wnry

msg/m_slovak.wnry

msg/m_spanish.wnry

msg/m_swedish.wnry

msg/m_turkish.wnry

msg/m_vietnamese.wnry

Step 4. using binvis.io to view file entropy

Let’s now have a look at what the entropy of binary reveals

Go to http://www.binvis.io to generate PE file entropy online

It is quite evident from entropy that the executable file is densely packed and would certainly consist of some important data to be compressed or decrypted from resource section . As resource section being the biggest section of all

2000 .data

6000 .rdata

34A000 .rsrc

7000 .text

It also has a version information section which masquerades it as a file from Microsoft operation system

Child Type: StringFileInfo

Language/Code Page: 1033/1200

CompanyName: Microsoft Corporation

FileDescription: DiskPart

FileVersion: 6.1.7601.17514 (win7sp1_rtm.101119-1850)

InternalName: diskpart.exe

LegalCopyright: © Microsoft Corporation. All rights reserved.

OriginalFilename: diskpart.exe

ProductName: Microsoft® Windows® Operating System

ProductVersion: 6.1.7601.17514

Child Type: VarFileInfo

Translation: 1033/1200

Step 5. Checking resources using Resource Hacker

Load file ion resource hacker tool(http://www.angusj.com/resourcehacker/) . Which is used to manipulate and view PE resources looking at the resource section it reveals some extract information about type of data stored in this section .

Step 6. Extracting embedded data using Binwalk

It contains the signature ‘PK’ which are the initials of a zip compressed data

binwalk -e ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

running binwalk on binary gives the following result

DECIMAL HEXADECIMAL DESCRIPTION

——————————————————————————–

0 0x0 Microsoft portable executable

52811 0xCE4B Copyright string: ” 1995-1998 Mark Adler ”

65776 0x100F0 Zip encrypted archive data, at least v2.0 to extract, compressed size: 14164, uncompressed size: 1440054, name: “b.wnry”

79976 0x13868 Zip encrypted archive data, at least v2.0 to extract, compressed size: 177, uncompressed size: 780, name: “c.wnry”

80189 0x1393D Zip encrypted archive data, at least v2.0 to extract, compressed size: 9404, uncompressed size: 47879, name: “msg/m_bulgarian.wnry”

89643 0x15E2B Zip encrypted archive data, at least v2.0 to extract, compressed size: 11044, uncompressed size: 54359, name: “msg/m_chinese (simplified).wnry”

100748 0x1898C Zip encrypted archive data, at least v2.0 to extract, compressed size: 11633, uncompressed size: 79346, name: “msg/m_chinese (traditional).wnry”

112443 0x1B73B Zip encrypted archive data, at least v2.0 to extract, compressed size: 8905, uncompressed size: 39070, name: “msg/m_croatian.wnry”

121397 0x1DA35 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9079, uncompressed size: 40512, name: “msg/m_czech.wnry”

130522 0x1FDDA Zip encrypted archive data, at least v2.0 to extract, compressed size: 8688, uncompressed size: 37045, name: “msg/m_danish.wnry”

139257 0x21FF9 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8694, uncompressed size: 36987, name: “msg/m_dutch.wnry”

147997 0x2421D Zip encrypted archive data, at least v2.0 to extract, compressed size: 8700, uncompressed size: 36973, name: “msg/m_english.wnry”

156745 0x26449 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8795, uncompressed size: 37580, name: “msg/m_filipino.wnry”

165589 0x286D5 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8786, uncompressed size: 38377, name: “msg/m_finnish.wnry”

174423 0x2A957 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8841, uncompressed size: 38437, name: “msg/m_french.wnry”

183311 0x2CC0F Zip encrypted archive data, at least v2.0 to extract, compressed size: 8787, uncompressed size: 37181, name: “msg/m_german.wnry”

192145 0x2EE91 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9554, uncompressed size: 49044, name: “msg/m_greek.wnry”

201745 0x31411 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8691, uncompressed size: 37196, name: “msg/m_indonesian.wnry”

210487 0x33637 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8735, uncompressed size: 36883, name: “msg/m_italian.wnry”

219270 0x35886 Zip encrypted archive data, at least v2.0 to extract, compressed size: 11242, uncompressed size: 81844, name: “msg/m_japanese.wnry”

230561 0x384A1 Zip encrypted archive data, at least v2.0 to extract, compressed size: 11209, uncompressed size: 91501, name: “msg/m_korean.wnry”

241817 0x3B099 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9023, uncompressed size: 41169, name: “msg/m_latvian.wnry”

250888 0x3D408 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8707, uncompressed size: 37577, name: “msg/m_norwegian.wnry”

259645 0x3F63D Zip encrypted archive data, at least v2.0 to extract, compressed size: 8950, uncompressed size: 39896, name: “msg/m_polish.wnry”

268642 0x41962 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8752, uncompressed size: 37917, name: “msg/m_portuguese.wnry”

277445 0x43BC5 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9499, uncompressed size: 52161, name: “msg/m_romanian.wnry”

286993 0x46111 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9419, uncompressed size: 47108, name: “msg/m_russian.wnry”

296460 0x4860C Zip encrypted archive data, at least v2.0 to extract, compressed size: 9124, uncompressed size: 41391, name: “msg/m_slovak.wnry”

305631 0x4A9DF Zip encrypted archive data, at least v2.0 to extract, compressed size: 8727, uncompressed size: 37381, name: “msg/m_spanish.wnry”

314406 0x4CC26 Zip encrypted archive data, at least v2.0 to extract, compressed size: 8771, uncompressed size: 38483, name: “msg/m_swedish.wnry”

323225 0x4EE99 Zip encrypted archive data, at least v2.0 to extract, compressed size: 9084, uncompressed size: 42582, name: “msg/m_turkish.wnry”

332357 0x51245 Zip encrypted archive data, at least v2.0 to extract, compressed size: 11224, uncompressed size: 93778, name: “msg/m_vietnamese.wnry”

343632 0x53E50 Zip encrypted archive data, at least v2.0 to extract, compressed size: 484, uncompressed size: 864, name: “r.wnry”

344152 0x54058 Zip encrypted archive data, at least v2.0 to extract, compressed size: 3009375, uncompressed size: 3038286, name: “s.wnry”

3353563 0x332BDB Zip encrypted archive data, at least v2.0 to extract, compressed size: 65828, uncompressed size: 65816, name: “t.wnry”

3419427 0x342D23 Zip encrypted archive data, at least v2.0 to extract, compressed size: 3457, uncompressed size: 20480, name: “taskdl.exe”

3422924 0x343ACC Zip encrypted archive data, at least v2.0 to extract, compressed size: 2555, uncompressed size: 20480, name: “taskse.exe”

3425519 0x3444EF Zip encrypted archive data, at least v2.0 to extract, compressed size: 82980, uncompressed size: 245760, name: “u.wnry”

3509363 0x358C73 LZMA compressed data, properties: 0x90, dictionary size: 1048576 bytes, uncompressed size: 36 bytes

3509960 0x358EC8 LZMA compressed data, properties: 0xBF, dictionary size: 1048576 bytes, uncompressed size: 36 bytes

3512079 0x35970F End of Zip archive

 

 

 

Read more…



Anastasis Vasileiadis

PC Technical || Penetration Tester || Ethical Hacker || Cyber Security Expert || Cyber Security Analyst || Information Security Researcher || Part-Time Hacker || Child Pornography & Sexual Abuse Combat


Leave a Reply

Your email address will not be published. Required fields are marked *