IAANSEC | WannaCry Analysis Report
L0WK3Y | Infophreak
Posted on April 10, 2022
WannaCry Ransomware Report
Apr 09, 2022 | L0WK3Y
Table of Contents
- Executive Report
- High-Level Technical Summary
- Malware Composition
- Static Analysis
- Dynamic Analysis
- Indicators of Compromise
- Yara Rules
Executive Summary
sha256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
Wannacry is a ransomware that utilized the EternalBlue exploit to propagate through the targets network and attacked outdated Windows computers globally in May of 2017. WannaCry was a multistage attack starting with a dropper which unpacked a payload onto the targets system under the right conditions. Once the files were encrypted, the threat actors demanded a ransom of $300 worth of Bitcoin. If the ransom is not paid in a specified amount of time, the ransom is increased to $600. This attack infected around 230,000 computers across 150 countries. Marcus Hutchins later discovered a kill switch that stalled the spread of the attack. Click here to view the full analysis report.
High-Level Technical Summary
WannaCry consist of 2 stages:
The first stage being a dropper that tries to make contact with a suspicious URL that can be found in the strings
hxxp[://]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
if a connection is established the program exits, if a connection is not established the program proceeds with the rest of the execution. Once the program proceeds with execution a service is created by the programmssecsvc2.0
and has the display nameMicrosoft Security Center (2.0) Service
. The service also contains a path to the executable<PATH_TO_WANNACRY>\wannacry.exe -m security
. During this stage the program will attempt to propagate by reaching out to a large range of IPv4 addresses.Stage two the payload is unpacked from the dropper and proceeds to create persistence mechanisms such as creating a folder in the
C:\ProgramData\<GENERATED_STRING>\
directory and creating a file namedtasksche.exe
in theC:\Windows\
path and copying itself to the newly created directory. Once the file has been copied to the directory, a service is created and is named after the same generated string as the newly created folder and contains a path leading to the payloadC:\ProgramData\<GENERATED_STRING>\tasksche.exe
. After the service is created and the payload is executed the encryption process starts which changes the background image, drops instructions on how to decrypt the files and more in the generated directory.
Fig.0 Execution flow graph
Malware Composition
Item | SHA-256 Hash |
---|---|
Ransomware.wannacry.exe | 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c |
tasksche.exe | ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa |
@WanaDecryptor@[.]exe | b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25 |
taskdl.exe | 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 |
taskhsvc.exe | e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb |
taskse.exe | 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d |
Item | Description |
---|---|
Ransomware.wannacry.exe | Initial file detonated |
tasksche.exe | The payload unpacked from the dropper |
@WanaDecryptor@[.]exe | The GUI application that is executed by tasksche after all files have been encrypted and handles ransom payment |
taskdl.exe | SQL Client Configuration Utility EXE |
taskhsvc.exe | Handles communication to TOR URL and other TOR activites |
taskse.exe | Waitfor - Wait/send a signal over a network |
Static Analysis
The original file name can be found in the "Version" tab of PE Studio
Fig.1 Original filename of dropper.
Compiler time stamp reports Nov. 20, 2010 in PE Studio.
Fig.2 Image showing was date dropper was compiled.
Executable can be found in the .rsrc section of the dropper executable.
Fig.3 Image of executable in the .rsrc header of the dropper.
Fig.4 Payload found in the 00407ce0 function
Found a URL that the dropper tries to communicate with at the start of it's execution.
Fig.5 Reference to DNS query URL string.
A few imports of interest:
Fig.6 Imports of interest in the dropper.
Addresses to the bitcoin wallets can be found in the function starting at address 0x00401E9E within the tasksche.exe
executable. BTC addresses are randomly selected.
Fig.7 Bitcoin addresses found in the payload
Dynamic Analysis
Dropper tries to reach out to the suspicious URL.
Fig.8 Dropper making DNS query to suspicious URL.
If the connection to the URL fails, the program proceeds and pushes two arguments to the stack <PATH_TO_WANNACRY>
and -m security
which are then passed as parameters to the CreateServiceA
function. The strings mssecsvc2.0
and Microsoft Security Center (2.0) Service
are also pushed to the stack in preparation for the creation of the service. The program proceeds to create a service named mssecsvc2.0
with the display name of Microsoft Security Center (2.0) Service
. Below are images of the service being prepared and the service after creation.
Fig.9 Dropper creates service as a persistence mechanism
After the creation of the service the payload attempts to connect to a range of IPv4.
Fig.10 Service attempts to reach out to a range of IPv4.
A reference to the payload can be seen being pushed to the stack along with another string of interest can be found stepping through the dropper in x32dbg.
Fig.11 Reference to packed payload.
The payload is later unpacked on to the system in the C:\Windows
directory and is executed.
Fig.12 Payload is unpacked by dropper.
The payload generates a string based on the host name of the system and creates a folder named after the generated string in the C:\ProgramData
directory. After the creation of the directory a copy of the payload is moved to the directory.
Fig.13 Payload generates random string based on the system name, creates a folder in the C:\ProgramData
directory with the generated name and copies the payload to the generated directory.
Along with the creation of the new directory a service is also created with the same generated name as the directory which uses cmd to execute tasksche as a persistence mechanism.
Fig.14 Service is created with the same name as the generated string.
A registry named WanaCrypt0r
and registry key named wd
are created with the key value set to the newly created directory in C:\ProgramData\<RANDOMLY_GENERATED_STRING>
.
Fig.15 Registry key created by payload service.
After the payload has executed the @WanaDecryptor@.exe
executable is dropped along with various other files in the same directory as the payload's execution and creates a shortcut to the executable on the Desktop.
Fig.16 Files dropped from payload after encryption process has begun.
Lastly, the system background is changed and a GUI of the @WanaDecryptor@.exe
is displayed.
Fig.17 Background changed and GUI application displayed
Indicators of Compromise
Network Indicators
Dropper observed making DNS Query to suspicious domain.
Payload attempts establish contact with a range of IPv4 addresses.
Host Based Indicators
Payload is unpacked on to system in C:\Windows
.
(Note) During the debugging process, there was a mention of a file in the directory C:\Windows
named qeriuwjhrf
but the file was never created.
Creation of services.
Creation of registry key.
Creation of files following the execution of the payload in the same directory as the execution. Along with files ending in the .WNCRY
extension.
Background change and appearance of GUI application.
Yara Rules
yara
rule wannacry_ruleset {
meta:
last_updated = "04-09-2022"
author = "IAANSEC"
description = "Yara rule to detect wannacry ransomware."
hash256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"
strings:
$MZ_byte = "MZ"
$querydomain_killswitch = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea" ascii
$weird_windows_dir_str = "qeriuwjhrf" ascii
$reg_name = "WanaCrypt0r" ascii
$service = "Microsoft Security Center (2.0) Service" ascii
$payload = "tasksche" ascii
$exe1 = "taskdl" ascii
$exe2 = "taskse" ascii
$import = "Crypt" ascii
$str = "WNcry@2017" ascii
$decrypt_exe = "@WanaDecryptor@.exe" ascii
$wnry = "wnry" ascii
$decrypt = "decrypt" ascii
$bitcoin = "bitcoin" ascii
$btc_wallet1 = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" fullword ascii
$btc_wallet2 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" fullword ascii
$btc_wallet3 = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" fullword ascii
condition:
$MZ_byte at 0 and
5 of them
}
Connect With Me 🙂
Posted on April 10, 2022
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.