WannaCry Ransomware
Analysis of WannaCry Ransomware.
In this blog, we will taking a look at the analysis of the infamous WannaCry Ransomware and how it infects and encrypt files of a victim machine.
Lab Overview
Lab Overview
Before we begin, lets take a look at the malware analysis lab network
The ransomware sample will be executed inside FlareVM.
Remnux will act as a fake internet server.
Static Analysis
Static Analysis
Here is what aftermath looks like after detonating the WannaCry Ransomware.
Rever the Flare-VM back to the original state prior to detonation.
Strings and PE Studio
Checking the strings of the binary using Floss
After checking the output, I've found some interesting findings.
There is a token like %s which indicates a path, we'll examine this later.
There is usefull http endpoint, we'll note it for further research// Some code
Cmd.exe is being called.
Task scheduler is being initiated.
Icacls is granting access to everyone on the current working directory.
The “attrib +h” means directories are made hidden.
Checking the executable inside PE Studio.
Clear indication that this binary consists of three other executables inside it.
InetSim Inversion
It is observed that the malware will not start the it's execution if it successfully connects with the URL.
Which means that whenever InetSim is running and loopbacks the above URL with a 200 response, the malware. This is actually one of anti-analysis techniques used by various malware to detect if the malware is being executed inside a sandbox environment to prevent itself from being executed, in the example considering the weird unrealistic name of the URL domain.
Below is the visual representation of the scenario.
So when we turn off the Inetsim inside remnux, the malware will be executed successfully.
TCPView
Taking a look at the traffic that is generated on the endpoint using TCPView.
The malware is trying to make connection to a remote host on port 445 on remote host, ip addresses are auto-generated because of the sandbox environment.
If we recall, the initial point of exploitation of WannCry is that is uses the EternelBlue exploit i.e MS17-010 which is a vulnerability in the Microsoft implementation of the Server Message Block (SMB) Protocol which leads to remote code execution. We will take a look at how WannaCry exploit this vulnerability is some later blog.
Process Monitoring
Let's take a look at the process that the malware creating while executing. For this, use Process Monitor and apply the filter as follows -
Then click on apply and detonate the malware.
It creates a huge number of processes. If we scroll down and look carefully we'll find some interesting findings.
An interesting tasksche.exe is been created, if we follow the process tree we can take good look at it.
It is running a command line argument
After researching a bit it is observed that this binary is used by WannaCry ransomware in various attack campaigns. Here is the result of it on VirusTotal
Now taking a note of PID of the tasksche.exe and filtering it out in Process Monitor.
The click on apply.
We can see that the tasksche.exe is being created inside random string generated directory which resides in 'ProgramData' directory. If we browse that location.
This folder contains every file related to the ransomware. If we check the Task Manager.
In the services section, we can see that a new service is created with the same name as the folder name that we've taken look at before. This is the persistence mechanism where a services will start running whenever the victim tries to reboot the system.
Here is the whole flow of the persistence mechanism.
The MITRE ID for this techniques is -> T1053.005
Assembly Analysis Using Cutter
Open the malware sample inside Cutter.
To make it easier to understand the flow, we'll use the decompiled C code by Cutter.
Moving on,
The URL is loaded into the ESI. Next,
The three APIs are called which will make the connection to the specified URL.
Step1 -
The InternetOpenA API is called,
Here is API structure.
The return value of the API is stored in the EAX register, refer the code and above Assembly flow
Now the value of EAX is passed to the ESI.
Step2 -
Next, the InternetOpenUrlA API is called.
The API takes ESI and ECX as parameter and stores it's return value into EAX. Then it passes the value to EDI.
Lastly the InternetCloseHandle is called to closed the internet connection.
The return value is stored in ESI.
Then EDI will compare itself and move towards JNE(Jump If Not Equal) address.
JNE value is stored -> 0x4081bc
If the value is equal to of the JNE which then it malware will not execute(refer the inetsim logic above)
And if the value of JNE is not equal to 0x4081bc then the malware will began it's execution.
Dynamic Analysis
Dynamic Analysis
Now moving forwards towards dynamic analysis. Even though we understood the understanding, we will deep dive into malware and try to subvert the Inetsim logic on the fly. For this we will be using xDbg.
To simulate an real scenario, we will trun on Inetsim and run the malware inside xDbg.
Press F9 to start it's execution.
If we take a look at previous analysis.
We know that when we get 200OK from this url the malware stop it's execution. Let's set a breakpoint where this URL is being called.
Press F2 to set a breakpoint.
After that restart the execution. And keep pressing F8 to going over through breakpoint and eventually you will reach at JNE where the Inetsim inversion logic happens.
You can check the Zero Flag(ZF) is set to 0 which means connection to the weird URL was successful and it will skip over. The malware will not be executed and will close itself.
Below is the video presentation of the whole process.
Now to get a way around we can double click on the ZF flag to set it to 1. Which will trick the malware into believing that connection to the weird URL was not successful and it can execute itself.
Here is the whole video presentation of the whole process.
We can see that the ransomware gets executed and file getting encrypted.
Although the whole infection chain goes more in depth but this blog is focus on basic analysis and execution part. Encryption and more in-depth analysis will be on later blogs(if possible).
Thank you for reading till the end☺️
Last updated