WannaCry Static analysis

Joined
Nov 1, 2017
Messages
25
OS
Windows 10
Antivirus
Avira
#1
Hi,
I'm doing the static analysis of WannaCry malware.
I know how the virus works, but I do not know how to proceed with static analysis.
The tool I use is IDA Pro
1) I examined the file on virustotal;
2) I saw the import and export;

But now how do I proceed with IDA Pro?
Thank you very much.
 

tim one

Level 21
Trusted
AV-Tester
Joined
Jul 31, 2014
Messages
1,072
OS
Windows 10
Antivirus
F-Secure
#2
Honestly I'm not an expert about IDA. Primarily I analyze .NET samples with PEiD and IlSpy if the code is not obfuscated, for example here is my old analysis:

Malware Analysis - Backdoor.MSIL.Bladabindi-Static Analysis

As you can see also using mainly PEiD you can find a lot of good information on the samples you want to analyze.
If your need is to use IDA, I'd like to hear @Opcode, one of the greatest experts on this stuff here ;)
 
D

Deleted member 65228

Guest
#3
I know how the virus works, but I do not know how to proceed with static analysis.
First things first: WannaCry isn't a virus, it is ransomware.

A virus is a type of malicious software which requires a host and typically works by infecting other files (this also gains persistence - e.g. execute malicious code belonging to the virus when an affected document is opened at some point during execution flow - usually before the program's main code is executed, or before it terminates at the end). They are quite destructive and due to how they work with infecting other files, they become extremely difficult to clean - a lot of the time, cleaning will fail (therefore most just reinstall the OS/format & reinstall the OS) and attempting to keep documents can be catastrophic because they may be affected.

Ransomware is another type of malicious software which will remand ransom (payment of some sort) in exchange for something. Usually, it evolves around encryption of documents on the users system and the ransom payment will allegedly be to gain a decryption key so the affected documents can be recovered. There are many forms of "ransomware"... Screen lockers exist too, and even blackmail through stealing picture files and demanding a ransom to prevent exposure has been done before (especially on Android devices).

There are many different types of malicious software: viruses, worms, rootkits, ransomware, backdoors, banking malware/keyloggers/password stealers/general spyware, etc.

-----------------------------------------------------------------------

I cannot tell you how you can use Interactive Disassembler (IDA) because it is a very complicated piece of software and it supports a lot of different things. It can be used for a wide variety of things from scanning the Imports (from the Import Address Table)/Exports (from the Export Address Table)/Strings (e.g. Unicode), disassembly of function stubs (with pseudo-code translation support) of a Portable Executable to analysing an 16-bit boot-loader in *.bin format.

Disassembly works by translating the machine code of a Portable Executable (PE) to Assembly... Therefore, if you wish to really perform disassembly properly, you will need to have experience in Assembly. I should note that there are different types of Assembly. I'd recommend you to aim for 32-bit and 64-bit, and maybe one day 16-bit (to analyse boot sectors from bootkits). Assembly can be very difficult, especially for a beginner... Therefore I wouldn't bother trying to start with that yet, it can be quite intimidating and this may put you off and cause you to give up. I'd start with a higher up language if I were you such as C, C++ or even a managed language and then keep working your way down until you are comfortable to study Assembly.

If you decide to study a managed language such as C#.NET or VB.NET (which is a lot easier than starting with a native language like C, C++ or even Assembly), you should know that it relies on a "Virtual Machine" (Common Language Run-Time (CLR)) to translate the instructions since it is based on Microsoft Intermediate Language (MSIL) which is byte-code (just like Java). This means it uses a Just-In-Time (JIT) compiler instead of native. For managed reversing you can use tools like @tim one has already mentioned such as ILSpy which will translate the byte-code back to readable source-code.

Along the way you will learn about many topics such as (but not limited to): Application Programming Interfaces (APIs); packing; obfuscation; how compilers work; the internals of numerous malware types; monitoring API calls; debugging software; network sniffing (e.g. capturing network logs via software such as Wireshark, TCPView); etc.

There is so much to malware analysis, and every single person involved in it will constantly learn more. You can never become a "true" expert where you cannot learn anything more on it because things change 24/7 and new methods are applied all the time by attackers. The best thing you can do is start from the bottom at an area good enough for you to understand and work your way to learning more and more, attempting to do more complex things as you get better and strengthen your knowledge. Practice, practice and practice... Practice makes perfect!

I know that this reply is not what you were likely expecting and you may not like what I've said, but the truth is that you will get no where if you just try to jump into IDA... You need to think smaller and work your way up to more complicated things IMO. Of course you can ignore my advice and decide what you want, but I am telling you this to help you. :)

I am not a very good malware analyst myself IMO, I am just a software engineer. I do a bit of malware analysis though using techniques I apply when doing software engineering sometimes

I wish you good luck and I am sure you are on your way to becoming a brilliant security researcher/malware analyst!
 
Joined
Nov 1, 2017
Messages
25
OS
Windows 10
Antivirus
Avira
#4
Thanks for your answer :)
I agree with what you said.
I have a good experience in C, but unfortunately I do not know assembly well.
I'm doing a college project where I have to do both static and dynamic analysis. With IDA Pro I have to find the most important conditional jumps (I do not have to thoroughly analyze the code).
But I'm a bit confused about how to proceed.
What do you suggest me to do? For now, I only analyzed the file with virustotal and import / export.
 
Last edited by a moderator:
D

Deleted member 65228

Guest
#5
What do you suggest me to do?
Open up the PE in IDA and find the main entry-point. You may find CRT stuff depending on the language/compilation but you need to find the entry-point for the program by the author. Then you can go through the instructions for the start of the program.

You can use the Imports tab and find cross references to functions of interest -> reverse engineer functions of interest using specific statically-linked functions from other modules.

I usually use IDA for a few things when reversing, I tend to take a liking to monitoring API calls and going through those logs personally. If a sample is packed then I dump to disk, fix aspects like the IAT and then analyse in IDA
 
D

Deleted member 65228

Guest
#6
I have a good experience in C, but unfortunately I do not know assembly well.
Press F5 when in the disassembly of a function stub -> if you have the Professional version and if the plug-in is installed/active automatically then it should generate pseudo-code in C-form for you. It will be tricky to read most of the time of course, it won't be "readable source code", but will be extremely useful in a lot of scenarios. You will find more about this in the IDA Documentation :)

You can press ctrl + F5 by default to export a *.c file of the entire PE being analysed which can be really useful at times as well.

Anyhow I just posted a thread about malware analysis with a ransomware sample (xRatLocker - sample provided by @Der.Reisende) so if you are online if you're interested you can check if it was posted yet (moderation for new threads in MA area). I used IDA during it and explained a few things which may help you out like the usage of operand references, imports/exports tabs, etc.
 
Last edited by a moderator:
Joined
Nov 1, 2017
Messages
25
OS
Windows 10
Antivirus
Avira
#7
Press F5 when in the disassembly of a function stub -> if you have the Professional version and if the plug-in is installed/active automatically then it should generate pseudo-code in C-form for you. It will be tricky to read most of the time of course, it won't be "readable source code", but will be extremely useful in a lot of scenarios. You will find more about this in the IDA Documentation :)

You can press ctrl + F5 by default to export a *.c file of the entire PE being analysed which can be really useful at times as well.

Anyhow I just posted a thread about malware analysis with a ransomware sample (xRatLocker - sample provided by @Der.Reisende) so if you are online if you're interested you can check if it was posted yet (moderation for new threads in MA area). I used IDA during it and explained a few things which may help you out like the usage of operand references, imports/exports tabs, etc.
Thanks @Opcode =)
What is the name of the plug-in to generate the pseudocode?
 
D

Deleted member 65228

Guest
#8
Thanks @Opcode =)
What is the name of the plug-in to generate the pseudocode?
Read the manual information for pseudo-code generation here: Hex-Rays Decompiler: Manual

You can activate it with F5 while in disassembly of a function stub by default

I may have been wrong, I do not think it is through an extension/plug-in. It is made and implemented by IDA developers themselves, only for the Professional version though as far as I know. :)
 
Joined
Nov 1, 2017
Messages
25
OS
Windows 10
Antivirus
Avira
#9
Read the manual information for pseudo-code generation here: Hex-Rays Decompiler: Manual

You can activate it with F5 while in disassembly of a function stub by default

I may have been wrong, I do not think it is through an extension/plug-in. It is made and implemented by IDA developers themselves, only for the Professional version though as far as I know. :)
Yes. Thanks for your help =)
 
Joined
Nov 1, 2017
Messages
25
OS
Windows 10
Antivirus
Avira
#10
@Opcode ,
When I open a file in IDA Pro, does the first running job show the main malware?
Because as my first feature opens WinMain, but in exports there is a start function with "main, entry" ordinam.
 
D

Deleted member 65228

Guest
#11
@Opcode ,
When I open a file in IDA Pro, does the first running job show the main malware?
Because as my first feature opens WinMain, but in exports there is a start function with "main, entry" ordinam.
The exports can show you another entry-point deeper than WinMain sometimes. WinMain is the entry-point to the authors code, but before this there are function stubs executed which are inserted by the compiler, designed to initialise everything (e.g. run-time library). The WinMain function is called by the initialisation stub/s.

People just refer to int main(), int main(void){ }, WinMain etc. As the entry-point because they either do not know about the initialisation procedures or it is easier to do so.

It depends on the compiler/language used to write the sample.

You can probably start analysis at WinMain IMO.
 
Joined
Nov 1, 2017
Messages
25
OS
Windows 10
Antivirus
Avira
#12
The exports can show you another entry-point deeper than WinMain sometimes. WinMain is the entry-point to the authors code, but before this there are function stubs executed which are inserted by the compiler, designed to initialise everything (e.g. run-time library). The WinMain function is called by the initialisation stub/s.

People just refer to int main(), int main(void){ }, WinMain etc. As the entry-point because they either do not know about the initialisation procedures or it is easier to do so.

It depends on the compiler/language used to write the sample.

You can probably start analysis at WinMain IMO.
The malware is written in C.
Analyzing the file header with peId, I noticed that in the entry section there is the same address as the "start" export function in IDA.
So is the start function that is called first?
 
D

Deleted member 65228

Guest
#13
The malware is written in C.
Analyzing the file header with peId, I noticed that in the entry section there is the same address as the "start" export function in IDA.
So is the start function that is called first?
Yes, the entry-point is the start function. If you follow the start function, you'll eventually end up at WinMain. WinMain is the entry-point defined by the author of the sample in the actual source code - the start function will lead to initialisation of things for the C run-time prior to WinMain being internally called to start executing the program's real code. The start function and others it leads to prior to WinMain is inserted by the compiler.
 
D

Deleted member 65228

Guest
#14
@Raffaele You can look at the Imports -> check for cross references based on operand using the X character short-cut key at default settings. You can check for JMP/CALL instructions to the import addresses to determine if the instruction is for actually calling the function or not, because you may have a lot of MOV X, X (X being a register/value) for setups of things. Other registers are used for the stack regarding parameters for the function calls (and then the called function adds/subtracts with the register -> get parameter data from the stack -> PUSH at start and then POP at the end).

By checking the cross references you can find routines doing specific actions and guess beforehand checking based on the Import being used. If OpenProcess (KERNEL32) is being checked, you can assume a handle will be opened to a running process if it is existent -> check it and you will see.

Static analysis can be difficult because actual source code can be obfuscated prior to compilation and because even though IDA Professional supports pseudo-code conversion, it will never be 100% readable source code due to how native compilers work (since your sample is written in C). Due to this, you may prefer dynamic analysis to monitor some things. I recommend API Monitor for this.

Thankfully your sample is not packed because that is another level for new reverses requiring dynamic usually to unpack. Although if you run into something like UPX, the -d command is sometimes sufficient.

If you get stuck during analysis let me know and I will try to help you if I can. Just be warned I am not very good with static, so if you have a problem with monitoring API calls dynamically then I could help you a lot better with that than with static. :)

There is only so much you can do with static. The parameters for many API calls will be messed up and not clear, you can try to scan with enums in IDA -> C/C++ run-time or SDK packs but it won't always be enough. I suspect most malware analysts prefer debugging over API Monitoring though. Depends on you preference
 
Last edited by a moderator:
Joined
Nov 1, 2017
Messages
25
OS
Windows 10
Antivirus
Avira
#15
@Opcode thank you so much for your help.
Since wannacry is complex to be statically analyzed then static analysis structure it as follows:
1) Virus scanning to confirm it is malicious software
2) Check the imported features by finding the most important ones such as: CreateProcess, CopyFile, RegCreateKey etc.
3) I write that the code is complex to analyze because we need assembly language experience. So let's proceed with dynamic analysis to figure out how it works.

That's right?
This is a university project and the assistance told me to see if there are important condition jumps, but as I said, the code is very complex to interpret
 
D

Deleted member 65228

Guest
#17
Since wannacry is complex to be statically analyzed then static analysis structure it as follows:
1) Virus scanning to confirm it is malicious software
2) Check the imported features by finding the most important ones such as: CreateProcess, CopyFile, RegCreateKey etc.
3) I write that the code is complex to analyze because we need assembly language experience. So let's proceed with dynamic analysis to figure out how it works.
I normally do something like the following.

1. Scan the PE at VirusTotal and Metadefender. This provides insight on whether a vendor detects the PE as a threat or not, and the detection names can be taken into account to estimate the reliability for the detection - whether generic or manually added by an analyst at the research team for that vendor. Potentially Unwanted Program/Adware detection's may be concluded based on internal guidelines set by the vendor specifically which can call for further investigation (e.g. Malwarebytes have a set of public rules and if a vendor goes against them then they get added as a PUP in detection's).

2. Scan at Hybrid-Analysis or Malwr. (sometimes, not always). This can provide insight regarding how the sample works a bit, but the logs annoy me sometimes because they are quite aggressive. Files being opened/accessed by Windows internally but still being done by executing code within the process (even though it is not actually related to the authors code) will be flagged and put onto the alerts, which is the reason why I don't always like using these services. It can put me off-guard sometimes by looking into something that I don't need to, or confuse me as to why a sample would be doing this. Same for registry access in general. However, still very useful to do in a lot of cases.

3. I perform static analysis but I keep it quite brief usually (brief for my opinion). I find the main entry-point setup by the author of the sample (it is usually fine to ignore initialisation stuff, such as CRT setup -> eventually calls the main entry-point created by the author even though it is not the real "entry-point") and see what happens at run-time initially. I check references to Imports and see what function X is used for and what-not. Checking usage of Imports can also provide insight on whether the Import Address Table is actually faked or not (e.g. calls passing NULL for parameters to do absolutely nothing just to add to the IAT). Signs of lots of junk code can be an indicator of suspicious activity, trying to throw an analyst into the wrong direction. I also look for the potential for various things such as anti-reversing techniques.

3. I perform dynamic analysis once the time is right. I setup break-points for APIs based on my thoughts and see what happens from there-on. I also usually look-out for dynamic imports however beware that break-pointing on LdrGetProcedureAddress/Ex is not always reliable because some samples may scan the Export Address Table for the target function address. Unless reflective DLL loading is being applied, break-pointing on LdrLoadDll is fine. Be cautious on APIs you break-point on, because you can easily end up with hundreds of thousands, or in some of my own cases, multiples of millions of API calls on the logs by mistake (Windows will internally call many functions when various Win32 API, or non-Nt*/Zw* functions are called -> triggering many break-points you may have set for monitoring other things. For example, process execution will trigger APIs like NtAllocateVirtualMemory, NtCreateUserProcess, NtResumeThread, etc. related to the Windows Loader).

Most likely unrecommended, but you can manually detour APIs yourself if you know how. For example, if I don't see a specific function on the Imports but a custom detour for the function becomes triggered (using a proxy routine which simply redirects execution flow to the normal trampoline to pass the call without filtering & blocking anything) then I know a dynamic import was used for it, which can cause me to investigate further into why the call was made in the first place. (you can also develop features such as logs for the call stack to determine where the original call invoked from, and which function on which thread -> whether it was the program itself or related to Windows internally doing something for another action).

You can use Wireshark to monitor network activity but I've always been a sucker with networking and therefore I don't like Wireshark that much, even though I think it is great. Process Hacker itself has a networking tab to provide some insight, and software such as TCPView can be quite useful. Web debugging in general though can be helpful, and you can spoof an active internet connection to keep track of the attempted connections so you don't have to enable VPN and allow connections (which could be used related to a botnet if the sample happens to be one -> now you aren't assisting any malicious operations during analysis which is often overlooked by many-> sometimes it is required to allow a connection though to keep analysing further the activity).

Software like WinDbg/OllyDbg can be exceptionally helpful. WinDbg also has a good disassembler which I like, but my favourite has always been the one within Visual Studio. All in all, you can combine a mix of static and dynamic techniques to get nice documentation on the sample - when it comes to unpacking a debugger is very helpful (you can step -> dump to disk after the PE has decrypted in memory and re-build the Import Address Table and in some scenarios other things like the PE File Header should the sample do something like erase it before you dump to disk).

This is just my personal opinions, I like using software like IDA, API Monitor and some manual things. But I tend to do manual things like custom injection and redirection only if I feel it is essential because I'd rather not waste my time when another tool can do it for me quickly and easily.

-------------------------------

I only just re-read your post and noticed I misunderstood, you weren't asking what I would do... You were asking what to say to your college/University! I'll keep the above anyway say-on-case it helps you or someone else.

I would just note down results on the following for them.

1. Theory about how WannaCry works. There is a lot of online documentation, but don't copy-paste because they won't like that. Do a lot of reading and ensure you understand it, and then make a theory report based on your understandings. Afterwards, verify the information is correct and not containing many mistakes. A mistake here or there is perfectly fine and normal, we are only human. I make mistakes all the time as does everyone.

2. Static details about the sample. This can include suspicious strings, interesting Imports (e.g. explain what they may be used for), etc. You can check what various Imports are used for potentially with static analysis by checking references -> reverse engineering various function stubs. It can be tricky if it isn't very readable even in pseudo-code format.

3. If you're up for it, some dynamic analysis containing API logs. If you aren't a programmer and/or know how Windows APIs work then this is probably useless attempting because you sort of need some background in that to understand them properly and know how to configure this and that.

4. Information about whether the sample was packed, any other interesting information about it.

About the important conditional jumps, I do not even know what they are talking about, which may be embarrassing and make me just be stupid. Malware samples like WannaCry had a large out-break for a reason due to being more sophisticated or coming out of no where with the unexpected, and WannaCry actually used a stolen NSA exploit (EternalBlue)... So... As long as the sample is really WannaCry, it will be difficult to analyse everything with static alone IMO. And there will be many instructions relating to CALL/JMP for various API calls and other internal function calls. So I am not really sure what your University expects you to do...

Maybe you could try asking your professor for more information or even help from him on understanding the assignment goal and learning more on how to do it. I'd have thought they would have explained well and taught you things before assigning a task with a random not-very-well-explained goal like that.

Did they actually ask you to do this on a WannaCry sample and provide it, or ...? Maybe I will understand better if you were able to elaborate, but if not no worries. :) I just want to help you more if I can instead of just leaving it with me not knowing what your assignment means.
 

Similar Threads

Similar Threads