Analyzing the WannaCry Ransomware
opposite engineering Analyzing the WannaCry Ransomware is one of the most surprisingly sought and maximum treasured cybersecurity/infosec abilities.
Few human beings Analyzing the WannaCry Ransomware:
have advanced their skill ranges to be talented on this exceedingly well-known talent. Ghidra is a highly new and unfastened opposite engineering tool from the united states undercover agent agency, NSA.
this educational, we are able to have a look at one of the most notorious pieces of Analyzing the WannaCry Ransomware.
Malware Inside the records of ransomware WannaCry.
It infected over 300,000 computers global and will have created havoc however for the work and abilities of 1 person, Marcus Hutchens aka Malware Tech Marcus Hutchens were given a copy of this malware and without delay began to observe its code.
In it, he observed what has regularly been called the “killswitch”. In fact, what he determined changed into URL that turned into for use for command and manipulate (C&C) of this ransomware. when he realized that the URL had not yet been registered, he did so. via doing that, he denied the ransomware authors access to control of their malware thereby saving the net Analyzing the WannaCry Ransomware.
right here, we will be looking on the initial infection vector of the malware looking for the URL and looking to understand how it initiates its malicious activity Analyzing the WannaCry Ransomware.
Before starting this academic, I endorse you study;
reverse Engineering Malware: Ghidra, part 1
opposite Engineering Malware: Ghidra, part 2
Addition, you will be well served to study;
opposite Engineering, element 4: windows Internals Analyzing the WannaCry Ransomware.
For this educational, Analyzing the WannaCry Ransomware:
I advise you operate a VM with Kali or other operating machine. this is to make sure that you do not accidentally launch WannaCcy into your other structures or network (this is generally a very good practice while operating with malware). subsequent, download WannaCry. there are various places you may accumulate it from together with Virus Total Analyzing the WannaCry Ransomware.
ensure you are in the Ghidra listing and start Ghidra Analyzing the WannaCry Ransomware.
when Ghidra starts offevolved, Open a project via clicking on document > New venture.
Then drag and drop the WannaCry ransomware file to the dragon or go to file -> Import file.
once the record is imported you will see a display like under with all details of the file.
next, you will be greeted with a display detailing alternatives for evaluation. leave all the defaults checked and add Decompiler Parameter identification (this creates parameters and local variables for a characteristic. it could add tremendous time to this analysis for massive documents Analyzing the WannaCry Ransomware but for WannaCry this should not motive any troubles).
As Ghidra analyzes WannaCry, you’ll likely obtain Analyzing the WannaCry Ransomware the following error message. do not worry, absolutely click on adequate.
Now you have to have the subsequent person interface of Analyzing the WannaCry Ransomware Ghidra with the records from WannaCry.
the following step is to search for the feature that starts WannaCry this malware. As noted when we loaded the malware into Ghidra, WannaCry is a portable Executable (PE). each home windows software has an entry factor and that is usually named Analyzing the WannaCry Ransomware WinMain or wWinMain. See the documentation from Microsoft beneath.
While we go to the symbol Analyzing the WannaCry Ransomware:
Tree and extend the capabilities folder, we do no longer see a WinMain or wWinMain characteristic however we do see an access function. this may serve the equal motive as WinMain(). we could observe it Analyzing the WannaCry Ransomware.
Double click on it and it’s going to appear in each the list window and the Decompile window Now, experiment down the Decompile window, there we will see that this feature calls every other characteristic FUN_00408140. Double click on on it to analyze it Analyzing the WannaCry Ransomware.
almost without delay, you must see what seems to be a URL within the listing window and inside the Decompile window Analyzing the WannaCry Ransomware.
It seems to be setting the URL right into a variable named pu Analyzing the WannaCry Ransomware.
Scanning a chunk similarly down the decompiler, we can see a reference to InternetOpenUrlA characteristic.
we can seek thru Microsoft Technet and see that InternetOpenUrlA characteristic does just as you might count on, it calls and opens the URL particular.
just below the InternetOpenUrlA, we see a few lines using the InternetCloseHandle. those specify that if iVar2 is zero , then near the manage and run FUN_00408090, else close the take care of and terminate the program Analyzing the WannaCry Ransomware.
that is what Analyzing the WannaCry Ransomware observed:
when he first tested and analyzed WannaCry. that is the URL of the command and manipulate (C&C) URL. If the program tries to attain the URL and it returns a zero, the program routinely terminates. If it does not terminate, it executes FUN_00408140. let’s follow Analyzing the WannaCry Ransomware.
the following step, permit’s follow the go with the flow from FUN_00408140. visit the Window tab on the top of Ghidra and click on characteristic Graph Analyzing the WannaCry Ransomware.
As you could see above Analyzing the WannaCry Ransomware:
, Ghidra offers us a clean to examine graph of the waft from this characteristic, both upstream and downstream. you can see that the entry characteristic is upstream from amusing 00408140 and downstream from it is InternetOpenA, InternetOpenUrlA, InternetCloseHandle and FUN Analyzing the WannaCry Ransomware.
go again to the Decompile Window and permit’s double click on FUN_00408090 to try and determine what it does.
The Decompile window ought to appear like the following Analyzing the WannaCry Ransomware.
be aware that the decompiler shows that the malware attempts OpenServiceA. This includes an argument to open mssecsv2.0_004312fc. This appears to open a Microsoft safety service. Now that’s thrilling…
while we search Microsoft’s Technet, we discover that NO such provider exists. The malware is beginning a new carrier that appears to be a legitimate Analyzing the WannaCry Ransomware Microsoft protection provider to difficult to understand its proper nature.
Wannacry ransomware had the capacity to push a crushing blow to the internet in 2017. It used the currently released EternalBlue make the most to advantage entry to computer structures after which encrypt all their records until they paid a ransom. seemingly, advanced through North Korea in a haste to launch it before home windows structures have been patched, they did not Analyzing the WannaCry Ransomware difficult to understand or obfuscate the malware and most importantly, failed to register the command and control area. thanks to Marcus Hutchins, its impact changed into mitigated with the aid of his detection of the “kill transfer” and disarming this potentially debilitating ransomware.
Now which you have the skills Analyzing the WannaCry Ransomware:
perhaps you may be next person to store the internet WannaCry is a malware this is classified as a cryptoransomware that is defined as a software program that encrypts customers documents and demands them to pay a few amount of cash in Analyzing the WannaCry Ransomware.
Exchange to decrypt their files Analyzing the WannaCry Ransomware The purpose of this kind of
malwares is cash extortion. Crypto-ransomwares use shock and worry methods to push users to pay the specified ransom for example in WannaCry, such tactic is being implemented through displaying a three-day countdown and perilous the consumer that
the decryption key will be deleted if he didn’t pay on time.
WannaCry also has been taken into consideration a network bug due to the fact of its self-propagation capability thru computer networks Analyzing the WannaCry Ransomware.
WannaCry first time visible in the wild on may additionally Analyzing the WannaCry Ransomware WannaCry is taken into consideration the biggest ransomware outbreak in Analyzing the WannaCry Ransomware.
the history. It had inflamed extra than 200,000 computer systems in over one hundred fifty nations [1]. WannaCry consists of two additives Analyzing the WannaCry Ransomware.
malicious program module for self-propagation and ransomware for files
encryption. WannaCry uses Tor hidden services for its C & C
(command and manipulate) communications. the primary reason of
the C & C in WannaCry is to check if the victim has paid the
ransom and delivering the decryption key.
II. malicious program MODULE Analyzing the WannaCry Ransomware.
WannaCry is called a self-propagating malware due
to the presence of the malicious program module.
This module is used simply for the motive of propagation and therefore spreading itself to all
the computers connected to the internal and outside network.
on this section we will speak the vulnerability that the malware exploited together with the propagation process Analyzing the Analyzing the WannaCry Ransomware.
A. SMB Vulnerability The WannaCry malware exploits the vulnerability this is in the Server Message Block (SMB) protocol of the home windows implementation Analyzing the WannaCry Ransomware.
SMB is a delivery protocol used for record sharing, printer sharing and get entry to to far flung offerings in
home windows. SMB protocol operates over Analyzing the WannaCry Ransomware.
The malware makes use of the Vulnerability in SMB model 1
(SMB v1) and TCP port 445 to propagate. This vulnerability
lets in malformed packets from the remote attackers to execute
arbitrary code on the victim’s laptop Analyzing the WannaCry Ransomware.
if you want to find out about the propagation traits of the
malware we executed the WannaCry sample in a controlled
environment and monitored its network site visitors drift. We used
the following gear to perform our evaluation.
tools Description Analyzing the WannaCry Ransomware
Kali Linux Linux based working system used for
forensics and penetration trying out
Wireshark Packet analyzer used for community analysis
ApateDNS tool used for retrieving the IP cope with or
hostnames from the malware
IDA seasoned A dissembler that generates assembly
language supply code from system
executable code
A nearby vicinity community (LAN) was created the use of three virtual
Machines (VMs): Analyzing the WannaCry Ransomware
A kali Linux machine to capture the packets in Wireshark –
172.sixteen.182.156
A comprehensive analysis of WannaCry:
Technical analysis, reverse Engineering, and
Motivation
Waleed Alraddadi, and Harshini Sarvotham
A home windows 7 professional x64 service p.c. 1 where the
malware was accomplished (fundamental sufferer’s system) –
172.sixteen.182.128 Analyzing the WannaCry Ransomware
A home windows 7 x64 VMware device linked within the equal
LAN – 172.16.182.158
a few stipulations to perform the network evaluation is to
allow the SMB v1 protocol in all the machines linked in
the LAN and disable the windows Firewall so that every one the
machines are connected to each different. Now upon successful
established order of connection among all the machines we
execute the malware inside the sufferer’s device (windows 7
professional) Analyzing the WannaCry Ransomware.
figure 1: experiment structure C. network evaluation The malware executable sends a request to a website http://www.ayylmaoTJHSSTasdfasdfasdfasdfasdfasdfasdf.co
m for connection. If the area is connected or available then
the dropper will exit without delay which means that that the
malware will not be carried out. The malware might be achieved
only if it fails to hook up with the area. therefore, one of the
methods to stop the assault is to sinkhole the domains. as a result, this
become known as the kill transfer to the malware. consequently, before the
release of the malware this domain became inactive or now not
registered. The malware contacting the area may be visible in
the ApateDNS device as below Analyzing the WannaCry Ransomware.
discern three: ApateDNS outcomes The sufferer’s device will test the local community for
different machines which are handy and feature an
uncovered SMB port (445). therefore, we can see that it
sends TCP (Transmission control Protocol) requests
SYN (synchronize) in port 445.
• It then sends ARP request as a published to all of the IP
addresses available in the community. It increments the
IP cope with by means of 1 and tests for a respons e from any
one among them Analyzing the WannaCry Ransomware.
discern 2: Scanning inner network
• In our experiment the opposite gadget that is connected
to the network is 172.sixteen.182.158. as soon as the reaction
from the other machine within the identical LAN is obtained it
assessments for the uncovered SMB ports (445)
• as soon as it establishes a reference to the alternative
device it assessments whether the machine has the SMB
v1 protocol and as a result checking for the vulnerability.
o There occurs an initial SMB Handshake
(Negotiation Req/reaction and session Analyzing the WannaCry Ransomware.
As soon as this finished it connects to the IPC$ proportion – that is a session in home windows that
permits nameless consumer to carry out positive sports The malware then connects to the IP address
of the primary victim’s machine
(172.sixteen.182.128)
o It then receives a trans response from the
other machine within the LAN to the primary
victim’s machine status as
STATUS_INSUFF_SERVER_RESOURCE
S which confirms that the device does have
the vulnerability in SMB v1.
parent four: Vulnerability test
• the subsequent test is to determine whether or not the
DoublePulsar backdoor exist.
o DoublePulsar injects a backdoor into the Analyzing the WannaCry Ransomware.
affected hosts for simpler get admission to and can be
eliminated upon system reboot. this is an
implant tool that has been developed by way of NSA
to get get right of entry to to Microsoft windows systems.
This device were stolen together with numerous
other gear by Shadow agents institution.
WannaCry authors had utilized this stolen
device to make it more effective in propagation.
o After that, the malware connects to the IP
deal with that could be a hardcoded local IP.
o It then assessments for the repute –
STATUS_NOT_IMPLEMENTED to
decide whether or not the device is Analyzing the WannaCry Ransomware.
compromised with the backdoor or not.
parent five: DoublePulsar test
• the next step is to exploit the vulnerability.
o we can see from our analysis that it sends a
sequence of NOPs (No-operation
instructions) to overflow the NT trans request
which ends up in more than one Trans 2 secondary
reaction Analyzing the WannaCry Ransomware.
o This Trans 2 secondary reaction will incorporate
the shellcode (arbitrary code) that executes
the payload to make the most the vulnerability.
o therefore, the attackers exploited this bufferoverflow vulnerability that occurs within the
SMB protocol implementation Analyzing the WannaCry Ransomware.
It then generates random IP addresses and sends TCP requests
thru 445 port to scan the external community and perform the identical
commands to check for the vulnerability and proceed with the
execution.
determine 6: Scanning outside community
III. RANSOMWARE MODULE
Upon execution the ransomware establishes endurance by using
creating a home windows registry key that lets in the ransomware to
run upon machine begin.
The registry key is Analyzing the WannaCry Ransomware:
he final part of the registry key’s the folder
that the ransomware creates to itself. The folder name shows
that the ransomware creates a completely unique identifier for every
laptop. we can see that the call it generates is a random
lowercase characters appended with 3 random numbers.
A. Observations Analyzing the WannaCry Ransomware
once the malware runs it will begin trying to find specific
windows report extensions, record extension is the stop of a report call
that defines the report types e.g. File1.txt. subsequent, it encrypts these
targeted files the use of and shop the encrypted documents. as soon as it’s far achieved
it deletes the authentic files from the gadget to prevent the
sufferer’s from getting access to them.
determine 7: list of all record extensions targeted with the aid of WannaCry
(source: A. Berry, “WannaCry Malware Profile” FireEye,
2017. [Online].)
we can take a look at that the ransomware doesn’t goal any
executable documents (.exe and .dll) to avoid device interruption.
as soon as the encryption method is performed the ransomware will
show a window (Wana Decrypt0r software) that has decryption
commands.
parent eight: WannaCry primary home windows
in this Wana Decrypt0r software the ransomware demands
the victim to pay $300 in Bitcoin to that specific cope with in
order on the way to decrypt the documents
B. Cryptographic model
This ransomware utilizes a hybrid cryptographic model in
which it combines an asymmetric cryptography with a
symmetric cryptography. To provide an explanation for this version, we created the
following diagram:
discern 9: Cryptographic version
• There are two hardcoded keys inside the malware file:
o An AES key this is being used for encrypting
10 random documents located at the victim’s
desktop. The cause of that is to expose that
the @[email protected] software is
capable of decrypting victim’s document. this is
executed once the victim clicks at the “Decrypt”
button. The intention of this step is to persuade the
victim to pay the ransom.
o RSA public key which we discuss with as
Attacker’s public key (APU).
Analyzing the WannaCry Ransomware
1. Use attacker’s personal key (APR) to decrypt the
sufferer’s private key (VPR)
2. Use sufferer’s personal key (VPR) to decrypt all AES keys
Use AES to decrypt the files Analyzing the WannaCry Ransomware:
The trouble is the attacker private secret’s unknown therefore
the handiest manner to decrypt the documents is to invite the attackers to decrypt
the victim’s non-public key.
The ransomware plays these kind of operation the use of windows
API features Analyzing the WannaCry Ransomware.
