Malware Analysis/RE

Malware Report: Wannacry Ransomware

Wannacry is a ransomware that utilized the EternalBlue exploit to propagate through the targets network and attacked outdated Windows computers globally in May of 2017.

L0WK3Y
· 8 min read
Send by email

Apr 09, 2022 | L0WK3Y


Table of Contents

  1. Executive Report
  2. High-Level Technical Summary
  3. Malware Composition
  4. Static Analysis
  5. Dynamic Analysis
  6. Indicators of Compromise
  7. Yara Rules


Executive Summary

sha256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

Wannacry is a ransomware that utilized the EternalBlue exploit to propagate through the targets network and attacked outdated Windows computers globally in May of 2017. WannaCry was a multistage attack starting with a dropper which unpacked a payload onto the targets system under the right conditions. Once the files were encrypted, the threat actors demanded a ransom of $300 worth of Bitcoin. If the ransom is not paid in a specified amount of time, the ransom is increased to $600. This attack infected around 230,000 computers across 150 countries. Marcus Hutchins later discovered a kill switch that stalled the spread of the attack. Click here to view the full analysis report.


High-Level Technical Summary

WannaCry consist of 2 stages:

  1. The first stage being a dropper that tries to make contact with a suspicious URL that can be found in the strings hxxp[://]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com if a connection is established the program exits, if a connection is not established the program proceeds with the rest of the execution. Once the program proceeds with execution a service is created by the program mssecsvc2.0 and has the display name Microsoft Security Center (2.0) Service. The service also contains a path to the executable <PATH_TO_WANNACRY>\wannacry.exe -m security. During this stage the program will attempt to propagate by reaching out to a large range of IPv4 addresses.

  2. Stage two the payload is unpacked from the dropper and proceeds to create persistence mechanisms such as creating a folder in the C:\ProgramData\<GENERATED_STRING>\ directory and creating a file named tasksche.exe in the C:\Windows\ path and copying itself to the newly created directory. Once the file has been copied to the directory, a service is created and is named after the same generated string as the newly created folder and contains a path leading to the payload C:\ProgramData\<GENERATED_STRING>\tasksche.exe. After the service is created and the payload is executed the encryption process starts which changes the background image, drops instructions on how to decrypt the files and more in the generated directory.


Fig.0 Execution flow graph


Malware Composition

Item SHA-256 Hash
Ransomware.wannacry.exe 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
tasksche.exe ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
@WanaDecryptor@[.]exe b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
taskdl.exe 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
taskhsvc.exe e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
taskse.exe 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
Item Description
Ransomware.wannacry.exe Initial file detonated
tasksche.exe The payload unpacked from the dropper
@WanaDecryptor@[.]exe The GUI application that is executed by tasksche after all files have been encrypted and handles ransom payment
taskdl.exe SQL Client Configuration Utility EXE
taskhsvc.exe Handles communication to TOR URL and other TOR activites
taskse.exe Waitfor - Wait/send a signal over a network


Static Analysis


The original file name can be found in the "Version" tab of PE Studio


Fig.1 Original filename of dropper.


Compiler time stamp reports Nov. 20, 2010 in PE Studio.


Fig.2 Image showing was date dropper was compiled.


Executable can be found in the .rsrc section of the dropper executable.


Fig.3 Image of executable in the .rsrc header of the dropper.



Fig.4 Payload found in the 00407ce0 function

Found a URL that the dropper tries to communicate with at the start of it's execution.



Fig.5 Reference to DNS query URL string.


A few imports of interest:


Fig.6 Imports of interest in the dropper.


Addresses to the bitcoin wallets can be found in the function starting at address 0x00401E9E within the tasksche.exe executable. BTC addresses are randomly selected.


Fig.7 Bitcoin addresses found in the payload



Dynamic Analysis


Dropper tries to reach out to the suspicious URL.



Fig.8 Dropper making DNS query to suspicious URL.


If the connection to the URL fails, the program proceeds and pushes two arguments to the stack <PATH_TO_WANNACRY> and -m security which are then passed as parameters to the CreateServiceA function. The strings mssecsvc2.0 and Microsoft Security Center (2.0) Service are also pushed to the stack in preparation for the creation of the service. The program proceeds to create a service named mssecsvc2.0 with the display name of Microsoft Security Center (2.0) Service. Below are images of the service being prepared and the service after creation.



Fig.9 Dropper creates service as a persistence mechanism


After the creation of the service the payload attempts to connect to a range of IPv4.


Fig.10 Service attempts to reach out to a range of IPv4.


A reference to the payload can be seen being pushed to the stack along with another string of interest can be found stepping through the dropper in x32dbg.


Fig.11 Reference to packed payload.


The payload is later unpacked on to the system in the C:\Windows directory and is executed.




Fig.12 Payload is unpacked by dropper.


The payload generates a string based on the host name of the system and creates a folder named after the generated string in the C:\ProgramData directory. After the creation of the directory a copy of the payload is moved to the directory.



Fig.13 Payload generates random string based on the system name, creates a folder in the C:\ProgramData directory with the generated name and copies the payload to the generated directory.


Along with the creation of the new directory a service is also created with the same generated name as the directory which uses cmd to execute tasksche as a persistence mechanism.


Fig.14 Service is created with the same name as the generated string.


A registry named WanaCrypt0r and registry key named wd are created with the key value set to the newly created directory in C:\ProgramData\<RANDOMLY_GENERATED_STRING>.



Fig.15 Registry key created by payload service.


After the payload has executed the @[email protected] executable is dropped along with various other files in the same directory as the payload's execution and creates a shortcut to the executable on the Desktop.


Fig.16 Files dropped from payload after encryption process has begun.


Lastly, the system background is changed and a GUI of the @[email protected] is displayed.



Fig.17 Background changed and GUI application displayed



Indicators of Compromise

Network Indicators


Dropper observed making DNS Query to suspicious domain.


Payload attempts establish contact with a range of IPv4 addresses.


Host Based Indicators


Payload is unpacked on to system in C:\Windows.

(Note) During the debugging process, there was a mention of a file in the directory C:\Windows named qeriuwjhrf but the file was never created.


Creation of services.



Creation of registry key.



Creation of files following the execution of the payload in the same directory as the execution. Along with files ending in the .WNCRY extension.

Background change and appearance of GUI application.




Yara Rules


rule wannacry_ruleset {
    meta:
    last_updated = "04-09-2022"
    author = "IAANSEC"
    description = "Yara rule to detect wannacry ransomware."
    hash256 = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"

    strings:
        $MZ_byte = "MZ"
        $querydomain_killswitch = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea" ascii
        $weird_windows_dir_str = "qeriuwjhrf" ascii
        $reg_name = "WanaCrypt0r" ascii
        $service = "Microsoft Security Center (2.0) Service" ascii
        $payload = "tasksche" ascii
        $exe1 = "taskdl" ascii
        $exe2 = "taskse" ascii
        $import = "Crypt" ascii
        $str = "WNcry@2017" ascii
        $decrypt_exe = "@[email protected]" ascii
        $wnry = "wnry" ascii
        $decrypt = "decrypt" ascii
        $bitcoin = "bitcoin" ascii
        $btc_wallet1 = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" fullword ascii
        $btc_wallet2 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" fullword ascii
        $btc_wallet3 = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" fullword ascii
        
    condition:
        $MZ_byte at 0 and
        5 of them     
}

Download The Full Report