Malware Analysis WannaCry Interpreted Malware Analysis

Winter Soldier

Level 25
Thread author
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
I made this static analysis a few days ago when I saw this thread in the HUB:

https://malwaretips.com/threads/w-anna-cry-v2.71397/

So thanks to @Der.Reisende :)

Now I've updated some things, but this analysis is primarily based on my interpretation of the very...very complex Hybrid Analysis report, trying to highlight the most important features used by this malware and on wannacry avoid - Pastebin.com about skipped files and file extensions.

I hope you can enjoy this simple, interpreted malware analysis.
I'm not a professional malware analyst, so forgive me for any mistake, forgetfulness or confusion :)


ANALYSIS


WannaCry uses a variety of encoded libraries that the system calls.It uses Windows libraries, because using Windows API dll, it is possible to encrypt all the files usually without errors.
The malware uses a series of data which are likely the used functions.

Among the most important are:

  • GetWindowsDirectory: it is the directory in which Windows is installed, useful to the malware that obviously doesn't encrypt the filesystem's folder.
  • GetLogicalDevices: it finds all the devices connected to the computer to infect them: so memory sticks, external HDDs, etc
  • Getsecurityinfo procedure: it is the safety info, useful to understand if you have installed or not any updates yet, probably it draws more exploits in the case that the software is not up to date
  • SystemParametersInfo: collects as much information as possible on the operating system
  • CryptGetRandom: creates the private key to encrypt the files (this also uses the function "rand" that generates a random string, very complex)
  • CryptExportKey: export the key, very likely in a file
  • fopen, fread, fwrite, fclose : in the order of the functions: open, read, write, and close the connection with the file, in a few words: WannaCry opens each file and overwrites all the data with a encrypted string
  • DeleteFile: deletes the files using the permissions of the user, if the user is Admin, most likely will try to delete also software like firewalls, antivirus etc..
  • TerminateProcess: ends certain processes (for example, antivirus which did not detect the file as ransomware)
  • CreateThread: it basically creates separate threads, WannaCry uses this function to spread itself more quickly, installing itself in the computer of the victim

-----------------------------------------------------------

The ransomware first tries to load a public key installed at the time of infection. If the load fails, it generates two RSA - 2048 bit keys using the CryptGenKey function. The private key is encrypted further with the public key of the ransomware.
At this point, a random AES - 128 bit key is generated using the function CryptoGenRandom, for each file, and each of these is encrypted. The AES key is encrypted with the public key previously generated in the file itself. In order to decrypt the file it is required the original private key of the malcoders.

Code:
Microsoft Enhanced RSA and AES Cryptographic Provider
TESTDATA CryptGenKey CryptDecrypt CryptEncrypt function CryptDestroyKey
CryptImportKey CryptAcquireContextA

WannaCry encrypt files with these extensions:

Code:
.doc .docx, .xls, .xlsx, .ppt, .pptx, .pst .ost .msg .eml, .vsd, .vsdx, .txt, .csv,
.rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot ..dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi .vmdk, .vmx,
 .gpg .aes, .ARC, .PAQ, .bz2, .tbk, .bak .tar, .tgz, .gz, .7z, .rar, the .zip, .backup .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .to, .svg .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla .swf, .wav, .mp3, .sh, .class .jar, the .java .rb, .asp .php, .jsp .brd .sch, .dch, .dip,
 .pl, .vb, .vbs .ps1, .bat .cmd .js, .asm .h, .pas, .cpp, .c, .cs, .his, .sln, .the ldf .mdf, .ibd .myi, .myd, and .frm, .odb, .dbf, .db .mdb .accdb, .sql .sqlitedb, .sqlite3, .asc .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp .odp .wb2, .slk, .dif, .stc .sxc .ots, .ods .3dm, .max .3ds, .uot, .stw, .sxw, .oct, .odt, .pem .p12 .csr .crt .key, .pfx, .der

It then seeks files that have this extension, ignoring some folders that it should not encrypt otherwise the system would become unstable:

Code:
Content.IE5
Temporary Internet Files
\Local Settings\Temp
\AppData\Local\Temp
\Program Files (x86)
\Program Files
\WINDOWS
\ProgramData
\Intel
$

Here it seems it uses a Windows library to generate the encryption keys:

Code:
Microsoft Enhanced RSA and AES Cryptographic Provider
TESTDATA CryptGenKey CryptDecrypt CryptEncrypt function CryptDestroyKey
CryptImportKey CryptAcquireContextA


And:

Code:
cmd.exe /c reg add %s /v "%s" /t
REG_SZ /d "\"%s\"" /f HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\%s
%s\taskse.exe\@WanaDecryptor@.exe\tasksche.exe%s%s*.*@WanaDecryptor@.exe.lnk


Even if probably these scripts are not complete, Wannacry uses the Command Prompt to edit registry keys. In particular, the keys in:

Code:
HKCU\SOFTWARE\Windows\CurrentVersion\Run\

that includes the software that Windows runs automatically at every boot. Then the ransomware adds itself automatically to the list of software that Windows runs.

Another very interesting string running in the CMD deletes all the shadow copies: copies that allow you to recover files in their original state:

Code:
/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit
/set {default} bootstatuspolicy ignoreallfailures & bcdedit
/set {default} recoveryenabled no & wbadmin delete catalog -quiet


CONCLUSION

Lets say, WannaCry is very complex and certainly it was not developed by noob coder.
It uses obfuscation methods and to be honest, I am not sure to have fully understood its behavior.


SOURCE


https://www.hybrid-analysis.com/sam...840480439c6e5babe8e080e41aa?environmentId=100

wannacry avoid - Pastebin.com
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top