Dissecting WannaCry Ransomware To It’s Core – Technical Analysis

WannaCry Decrypter

Hi readers! This is probably going to be my first technical post regarding the deep analysis of any malware sample. If you would have followed my blog then you must be aware that most of my posts include building concepts related to malware analysis. However, I decided to take a break from that for a while and thought of having a little fun analyzing a malware sample. So, the sample which we will be analyzing today is the famous ransomware called – WannaCry.

Most of us had already heard about the WannaCry ransomware which created havoc back in 2017 and had crippled many organizations’ services by infecting their systems around the world. There was a huge outcry until the later became “accidentally famous” malware researcher Marcus Hutchins slowed down the infection rate by actually registering the killswitch URL. The purpose of the killswitch URL in the code is still unknown to the researchers and the malware will continue to infect the systems as long as the domain remains unregistered encrypting the entire hard drive and locking it down.

The WannaCrypt ransomware was basically having 3 components that helps in carrying out the attack. Below are the components with their hash values:

Dropper – 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
Encrypter – ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
Decrypter – b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

Static Analysis

Before proceeding with the code analysis I wanted to have a look at the metadata of the file as this gives out a lot of valuable information which can be beneficial in the later analysis. I always prefer to first look at the strings before deeply analyzing any malware sample. Some of the interesting strings that I found during analysis are mentioned below:

  • Windows 2000 2195
  • Windows 2000 5.0
  • \\172.16.99.5\IPC$
  • Windows 2000 2195
  • Windows 2000 5.0
  • Microsoft Base Cryptographic Provider v1.0
  • %s -m security
  • C:\%s\qeriuwjhrf
  • C:\%s\%s
  • tasksche.exe
  • hxxp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
  • WanaCrypt0r
  • msg/m_greek.wnry
  • msg/m_indonesian.wnry
  • msg/m_italian.wnry
  • msg/m_japanese.wnry
  • msg/m_korean.wnry
  • msg/m_latvian.wnry
  • msg/m_norwegian.wnry
  • msg/m_polish.wnry
  • msg/m_portuguese.wnry
  • mssecsvc.exe
  • cmd.exe /c “%s”
  • tasksche.exe
  • t.wnry
  • icacls . /grant Everyone:F /T /C /Q
  • attrib +h .
  • [email protected]

I quickly navigated to my isolated machine FlareVM, and with the help of a tool called PEiD I found out that the dropper is compiled with Microsoft Visual C++ and is having a Windows 32-bit subsystem. So, our sample here is not packed.

Moving ahead and identifying what interesting information we can get from the headers of our sample file we can use a tool called PEStudio which gave us pretty interesting information about the headers and metadata of sample. There were a couple of interesting things to note though. We can see that the sample is imitating as a legitimate Microsoft Disk Defragmenter file from Microsoft but the actual filename is specified as lhdfrgui.exe.

Another interesting thing to note is the Resource section of the sample. Malware authors basically hide their extra executables in the resource section. And this is what we found here in this sample. The name of the resource is 1831 and can be confirmed that it is an executable file by looking at the first-byte-text field column which is MZ in ASCII.

Read More: https://tech-zealots.com/malware-analysis/pe-portable-executable-structure-malware-analysis-part-2/

With extra executable embedded in the resource section, we can assume that it will be dropped later during the execution of malware and more evil things will be done to the system.

Dropper Analysis

When the WannaCry dropper is executed, it first makes an attempt to connect to the domain http://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com and checks whether a domain is registered and successful connection to the domain is made or not. If the connection is successful the malware terminates itself. And if the connection to the domain fails then it proceeds with infecting the targeted system. The dropper does this by checking several arguments being passed to the API calls and if it hits the ZF=0 then it proceeds with the initial infection. The important point to note here is how the malware opens a connection to access the Internet. dwAccessType set to 1 means it should bypass any proxy that is configured to access the Internet. So, any machine which is only allowed to communicate to the internet through a proxy will also affect those systems if it hits by a WannaCry.

The malware then checks for 2 arguments “-m security” before proceeding to which step to take further. This is because if the malware is launched for the very first time on an infected machine then it goes ahead with creating a new service called mssecsvc2.0 with the two command-line arguments mentioned above. But if it is started without the arguments, as it was already started earlier, then it skips the service creation step and goes ahead with the propagating to the network by exploiting SMB vulnerability which we will be seeing later in this post.

Next, on the way to performing its initial infection, the malware identifies the name of the target machine and opens up a Service Control Manager and creates a service named “mssecsvc2.0” having a display name as “Microsoft Security Center (2.0) Service” and finally starts a service.

The dropper then locates the embedded resource named R1831, which we saw earlier during static analysis, loads it into memory and writes the contents of that resource to a file at C:\Windows\tasksche.exe and moves the contents of that file to a new file C:\Windows\qeriuwjhrf if it already exists. If it doesn’t exist then it simply copies the contents to C:\Windows\qeriuwjhrf.

The file tasksche.exe is basically an encrypter that starts encrypting the files in the backend as soon as it is launched. We will be analyzing this file in the later module of this post.

The newly created file is then dropped to the specified location and is launched by calling CreateProcessA. The file being launched is a console application that will run without any window being seen to the user.

Malware Propagation – SMB Vuln Exploitation

WannaCry also tries to propagate to the network by actually exploiting the SMB EternalBlue vulnerability. The exploit used is the DoublePulsar which was initially developed by the NSA and was later leaked by a hacking group called Shadow Brokers. Here, we will take a look at how the WannaCry leverages the vulnerability to exploit it and propagates to the network like a worm.

The WannaCry dropper, if executed without the command line arguments which we saw earlier in this post that malware was checking, will try to propagate to the network which it does by opening the service “mssecsvc2.0” having the full access permissions, changes the service configuration by calling the ChangeServiceConfig2A function and later calls the StartServiceCtrlDispatcherA function.

StartServiceCtrlDispatcherA starts the control dispatcher thread. The dispatcher thread returns whenever there’s an error and when all the processes have been terminated. Below code registers the Service Control Handler and starts up a thread that contains the exploit payload.

The malware spreads by setting up a Windows sockets API and uses Windows default Cryptography Service Provider (CSP) “Microsoft Base Cryptographic Provider 1.0” to generate a crypto algorithm which is later used to generate random numbers by calling CryptGenRandom function.

WannaCry_Crpt_Algorithm
WannaCry Generate Random

Below is the image which initiates the thread containing the payload to transfer to other machines and for this malware calls the GetAdaptersInfo function on the local machine to get the IPs located inside the function named _LAN_config. I probably should have renamed this function as something more understandable. Lol.

The below code contains a call to the _getAdaptersInfo which contains information about the network adapter on the machine and one of the members IpAddressList provides the list of the IP addresses associated with the particular network adapter. So, the malware after enumerating a network adapter on the system and identifying their respective IP addresses on a network, starts a thread and attempts to connect to the IP on port 445 and attempts to exploit an SMB vulnerability. Kindly, refer to the Microsoft’s security bulletin MS17-010 for more info. on the vulnerability.

I realized this post got bigger than expected. So I will be continuing analyzing the encrypter module probably in the next post. Stay tuned!!