WannaCry Ransomware Report

Apr 09, 2022 | L0WK3Y

Table of Contents

1. Executive Report
2. High-Level Technical Summary
3. Malware Composition
4. Static Analysis
5. Dynamic Analysis
6. Indicators of Compromise
7. Yara Rules

Executive Summary

sha256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

Wannacry is a ransomware that utilized the EternalBlue exploit to propagate through the targets network and attacked outdated Windows computers globally in May of 2017. WannaCry was a multistage attack starting with a dropper which unpacked a payload onto the targets system under the right conditions. Once the files were encrypted, the threat actors demanded a ransom of $300 worth of Bitcoin. If the ransom is not paid in a specified amount of time, the ransom is increased to $600. This attack infected around 230,000 computers across 150 countries. Marcus Hutchins later discovered a kill switch that stalled the spread of the attack. Click here to view the full analysis report.

High-Level Technical Summary

WannaCry consist of 2 stages:

1. The first stage being a dropper that tries to make contact with a suspicious URL that can be found in the strings hxxp[://]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com if a connection is established the program exits, if a connection is not established the program proceeds with the rest of the execution. Once the program proceeds with execution a service is created by the program mssecsvc2.0 and has the display name Microsoft Security Center (2.0) Service. The service also contains a path to the executable <PATH_TO_WANNACRY>\wannacry.exe -m security. During this stage the program will attempt to propagate by reaching out to a large range of IPv4 addresses.

2. Stage two the payload is unpacked from the dropper and proceeds to create persistence mechanisms such as creating a folder in the C:\ProgramData\<GENERATED_STRING>\ directory and creating a file named tasksche.exe in the C:\Windows\ path and copying itself to the newly created directory. Once the file has been copied to the directory, a service is created and is named after the same generated string as the newly created folder and contains a path leading to the payload C:\ProgramData\<GENERATED_STRING>\tasksche.exe. After the service is created and the payload is executed the encryption process starts which changes the background image, drops instructions on how to decrypt the files and more in the generated directory.

Fig.0 Execution flow graph

Malware Composition

Static Analysis

The original file name can be found in the "Version" tab of PE Studio

Fig.1 Original filename of dropper.

Compiler time stamp reports Nov. 20, 2010 in PE Studio.

Fig.2 Image showing was date dropper was compiled.

Executable can be found in the .rsrc section of the dropper executable.

Fig.3 Image of executable in the .rsrc header of the dropper.

Fig.4 Payload found in the 00407ce0 function

Found a URL that the dropper tries to communicate with at the start of it's execution.

Fig.5 Reference to DNS query URL string.

A few imports of interest:

Fig.6 Imports of interest in the dropper.

Addresses to the bitcoin wallets can be found in the function starting at address 0x00401E9E within the tasksche.exe executable. BTC addresses are randomly selected.

Fig.7 Bitcoin addresses found in the payload

Dynamic Analysis

Dropper tries to reach out to the suspicious URL.

Fig.8 Dropper making DNS query to suspicious URL.

If the connection to the URL fails, the program proceeds and pushes two arguments to the stack <PATH_TO_WANNACRY> and -m security which are then passed as parameters to the CreateServiceA function. The strings mssecsvc2.0 and Microsoft Security Center (2.0) Service are also pushed to the stack in preparation for the creation of the service. The program proceeds to create a service named mssecsvc2.0 with the display name of Microsoft Security Center (2.0) Service. Below are images of the service being prepared and the service after creation.

Fig.9 Dropper creates service as a persistence mechanism

After the creation of the service the payload attempts to connect to a range of IPv4.

Fig.10 Service attempts to reach out to a range of IPv4.

A reference to the payload can be seen being pushed to the stack along with another string of interest can be found stepping through the dropper in x32dbg.

Fig.11 Reference to packed payload.

The payload is later unpacked on to the system in the C:\Windows directory and is executed.

Fig.12 Payload is unpacked by dropper.

The payload generates a string based on the host name of the system and creates a folder named after the generated string in the C:\ProgramData directory. After the creation of the directory a copy of the payload is moved to the directory.

Fig.13 Payload generates random string based on the system name, creates a folder in the C:\ProgramData directory with the generated name and copies the payload to the generated directory.

Along with the creation of the new directory a service is also created with the same generated name as the directory which uses cmd to execute tasksche as a persistence mechanism.

Fig.14 Service is created with the same name as the generated string.

A registry named WanaCrypt0r and registry key named wd are created with the key value set to the newly created directory in C:\ProgramData\<RANDOMLY_GENERATED_STRING>.

Fig.15 Registry key created by payload service.

After the payload has executed the @WanaDecryptor@.exe executable is dropped along with various other files in the same directory as the payload's execution and creates a shortcut to the executable on the Desktop.

Fig.16 Files dropped from payload after encryption process has begun.

Lastly, the system background is changed and a GUI of the @WanaDecryptor@.exe is displayed.

Fig.17 Background changed and GUI application displayed

Indicators of Compromise

Network Indicators

Dropper observed making DNS Query to suspicious domain.

Payload attempts establish contact with a range of IPv4 addresses.

Host Based Indicators

Payload is unpacked on to system in C:\Windows.

(Note) During the debugging process, there was a mention of a file in the directory C:\Windows named qeriuwjhrf but the file was never created.

Creation of services.

Creation of registry key.

Creation of files following the execution of the payload in the same directory as the execution. Along with files ending in the .WNCRY extension.

Background change and appearance of GUI application.

Yara Rules

rule wannacry_ruleset {
    meta:
    last_updated = "04-09-2022"
    author = "IAANSEC"
    description = "Yara rule to detect wannacry ransomware."
    hash256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"

    strings:
        $MZ_byte = "MZ"
        $querydomain_killswitch = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea" ascii
        $weird_windows_dir_str = "qeriuwjhrf" ascii
        $reg_name = "WanaCrypt0r" ascii
        $service = "Microsoft Security Center (2.0) Service" ascii
        $payload = "tasksche" ascii
        $exe1 = "taskdl" ascii
        $exe2 = "taskse" ascii
        $import = "Crypt" ascii
        $str = "WNcry@2017" ascii
        $decrypt_exe = "@WanaDecryptor@.exe" ascii
        $wnry = "wnry" ascii
        $decrypt = "decrypt" ascii
        $bitcoin = "bitcoin" ascii
        $btc_wallet1 = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" fullword ascii
        $btc_wallet2 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" fullword ascii
        $btc_wallet3 = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" fullword ascii

    condition:
        $MZ_byte at 0 and
        5 of them     
}

Connect With Me 🙂