on May 15, 2017

WannaCrypt Malware Analysis

Last Friday, 12th May, a worm targeting outdated Windows machines was detected. The worm in question used leaked NSA exploits to propagate and dropped a variant of a ransomware called WannaCrypt. This post will try to give you an insight into the infection process, as well as the spreading of the worm and some details about the cryptography. Furthermore, at the bottom, you will find YARA rules to detect this sample.

 

Infection vector

The worm spreads by using ETERNALBLUE, a leaked NSA exploit (patched in MS17-010, so it’s not a 0-day, just a case of outdated Windows installs). Once a victim is infected, the machine starts scanning the subnet they’re on and sending the same exploit to any vulnerable computer it finds. It does the same thing for the entire IPv4 range, by continually scanning random IP addresses. This process is explained in detail below.

 

Execution flow

The initial payload delivered through the binary named mssecsvc.exe goes like this:

wannacrypt01

In short, the malware registers itself as a service, starts encrypting your files, and then scans your LAN & the entire IPv4 range, searching for machines that might be vulnerable in order to spread itself further.

However, if the malware can connect to http://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, it will simply exit and avoid infecting the machine. This is probably an anti-sandbox technique (a bad one) rather than a killswitch; that would simply make no sense.

We have also detected patched variants in the wild, that simply patch out (remove) the “killswitch”:

wannacrypt1

wannacrypt2

(top: patched, bottom: original)

However, the patched variant contains a corrupt package (encrypted ZIP file), which means that the unpacking of the ransomware files does not succeed, and therefore, the ransomware functionality breaks and doesn’t encrypt anything. It just spreads itself.

 

Worm – EternalBlue exploit

The worm spreads by attacking every machine on LAN & the Internet it can reach. It starts a thread that attacks every IP in LAN, and another 128 threads which attack the entire IPv4 range. The LAN spreading logic looks like this:

diagrama-02

Similarly, the IPv4 range spreading logic looks like this:

wannacrypt04

Here we can see it creates a single thread for LAN and 128 threads for the whole IPv4 range:

wannacrypt05

 

Cryptography

The encrypted file structure looks like this:

tabla

And the C structure would look like:

#define STD_KEY_LENGTH 256

struct wannacry_encrypted_file {

char magic[8];

uint32_t key_length;

unsigned char key[STD_KEY_LENGTH];

uint32_t file_action;

uint64_t file_size;

unsigned char encrypted_buffer[1]; // dynamic

};

The encryption logic looks like this:

wannacrypt07

In short: for every infected machine, do the following:

  • Generate a new RSA-2048 keypair
  • Loop through all the files to encrypt
    • Generate a new AES key (128-bit)
    • Encrypt the file (CBC mode)
    • Encrypt the AES key with the RSA-2048 public key
  • Encrypt the private key of the newly generated RSA-2048 keypair with the malware author’s public key
  • Save to file 00000000.eky

 

Targeted file extensions:

.doc, .docx, .docb, .docm, .dot, .dotm, .dotx, .xls, .xlsx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .ppt, .pptx, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .pst, .ost, .msg, .eml, .edb, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .jpeg, .jpg, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

 

Screenshots

wannacrypt08

wannacrypt09

YARA rules

rule wannacry_static_ransom : wannacry_static_ransom {

meta:

description = “Detects WannaCryptor spreaded during 2017-May-12th campaign and variants”

author = “Blueliv”

reference = “https://www.blueliv.com/research/wannacrypt-malware-analysis/”

date = “2017-05-15”

strings:

$mutex01 = “Global\\MsWinZonesCacheCounterMutexA” ascii

$lang01 = “m_bulgarian.wnr” ascii

$lang02 = “m_vietnamese.wnry” ascii

$startarg01 = “StartTask” ascii

$startarg02 = “TaskStart” ascii

$startarg03 = “StartSchedule” ascii

$wcry01 = “WanaCrypt0r” ascii wide

$wcry02 = “WANACRY” ascii

$wcry03 = “WANNACRY” ascii

$wcry04 = “WNCRYT” ascii wide

$forig01 = “.wnry\x00” ascii

$fvar01 = “.wry\x00” ascii

condition:

($mutex01 or any of ($lang*)) and ( $forig01 or all of ($fvar*) ) and any of ($wcry*) and any of ($startarg*)

}


rule wannacry_memory_ransom : wannacry_memory_ransom {

meta:

description = “Detects WannaCryptor spreaded during 2017-May-12th campaign and variants in memory”

author = “Blueliv”

reference = “https://www.blueliv.com/research/wannacrypt-malware-analysis/”

date = “2017-05-15”

strings:

$s01 = “%08X.eky”

$s02 = “%08X.pky”

$s03 = “%08X.res”

$s04 = “%08X.dky”

$s05 = “@WanaDecryptor@.exe”

condition:

all of them

}


rule worm_ms17_010 : worm_ms17_010 {

meta:

description = “Detects Worm used during 2017-May-12th WannaCry campaign, which is based on ETERNALBLUE”

author = “Blueliv”

reference = “https://www.blueliv.com/research/wannacrypt-malware-analysis/”

date = “2017-05-15”

strings:

$s01 = “__TREEID__PLACEHOLDER__” ascii

$s02 = “__USERID__PLACEHOLDER__@” ascii

$s03 = “SMB3”

$s05 = “SMBu”

$s06 = “SMBs”

$s07 = “SMBr”

$s08 = “%s -m security” ascii

$s09 = “%d.%d.%d.%d”

$payloadwin2000_2195 =

“\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00”

$payload2000_50 =

“\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00”

condition:

all of them

}

Protection

Installing the MS17-010 patch is critical to avoid getting infected, as the process happens without user interaction and can happen even on machines not directly exposed to the internet, because all it takes is one internal machine to get infected in order for the worm to have access to the internal network and gain the ability to attack all the computers connected to it.

A second version of the devastating WannaCry ransomware–one that does not contain the “kill switch”–is set to be released by the hackers, putting more computers at risk.

We expect other variants of the Wannacry to emerge and infect computers. As part of the Blueliv Threat Exchange Network, we make available our online malware analysis sandbox for free for you to detect new potential Wannacry related files and prevent your business to be infected from coming Wannacry attacks.

First, register in the Blueliv community, then click on the sandbox icon and once you are in the sandbox interface, you can upload the sample:

malware sandbox analysis upload screenshot

The sample will take just a few minutes to be analyzed.  As per example, here are two snapshots of one the Wannacry malware hashes analyzed:

Wannacry Malware Sandbox Analysis screenshot

Wannacry Malware Sandbox Analysis

 

Hashes and IOCs

Original binary: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

Patched binary: 07c44729e2c570b37db695323249474831f5861d45318bf49ccf5d2f5c8ea1cd

Blueliv Community Sandbox: https://community.blueliv.com/#!/s/5915f47582df411402e55726

Blueliv Community Sandbox: https://community.blueliv.com/#!/s/591997a682df41140be543c4


Demo Free Trial Community