WannaCry Ransomware analysis

WannaCry also known as WanaCrypt or Wanacrypt0r 2.0 is a ransomware used in a worldwide cyberattack which started on the 13th of May 2017. This malware spreads on the internet by using a known exploit called Eternal Blue. Because of this exploit, more than 300k computers have been infected in over 150 countries. Eternal Blue is an exploit that uses a vulnerability in the SMB protocol which affects Windows operating systems without the MS17-010 Patch. This exploit has been developed by the NSA and stolen by a group of hackers called “Shadow Brokers”.
The main goal of this malware is to encrypt some data on all infected computers and ask users to pay a ransom to get their data back.

 

WannaCry Execution flow

The diagram below represents an overview of how WannaCry spread and damage systems:


Initial infection

The initial infection may have been done by using the Eternal Blue exploit or by sending phishing e-mail, but no e-mail has been found to prove this. As detailed later, once the malware is started, it can spread and infect any vulnerable and accessible computer on the internet. That’s why phishing attack type was not necessary.

In both cases, an executable is dropped on the computer and executed to start the attack.

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
A malicious file sent by e-mail will be analyzed, detected as malicious and blocked.
Thanks to the policy system, applications and programs have a limited access to the network. the malicious program will not be able to spread over the network.


Execute mssecsvc.exe

The first step of the attack is to execute a new executable on the machine called “mssecsvc.exe”.

Filenamemssecsvc.exe
FiletypeExecutable
Size (Bytes)3 723 264
Compilation date20 november 2010
HashMD5: db349b97c37d22f5ea1d1841e3c89eb4
SHA1: e889544aff85ffaf8b0d0da705105dee7c97fe26
SHA256: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
SignatureNone
Virus totalmssecsvc.exe
Information about mssecsvc.exe

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
The analysis engine will detect this file as malicious and the process will never be created.


Sandbox evasion

The first action of the malware is to check if it is running on an analysis environment. To do this, the malware contacts an unregistered domain, if a response is received then the malware can suppose that it is in a sandbox environment.
In a real and legitimate environment with a real internet connection, this domain is not resolved and the malware continues its execution normally.
Some sandboxing solutions use fake network tools like FakeNet to let the malware perform its network actions and monitors it, but in this case, every DNS request is replied. When the malware receives a reply, it kills itself to prevent a detection from the analysis system.

The malware tries to contact the url “http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com/” and checks if it responds.

WannaCry sandbox bypass implementation

The URL should not respond, otherwise the malware will consider it as a sandbox environment and will stop the infection.

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
Thanks to the policy system, applications and programs have a limited access to the network


Create and execute the service mssecsvc2.0

For persistence purposes, a new service called “mssecsvc2.0” is created. The service is created using additional parameters: “-m security”.
This service is responsible of the lateral movement process to spread on vulnerable computers.

WannaCry fake Microsoft service persistence

mssecsvc2.0 service configuration

The main process starts the service and continues its execution to perform the data encryption.

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
The analysis engine will detect this file as malicious and the process will never be executed.


Lateral movement

To spread, the service uses two different methods started in two different threads. The first one performs a local network scan and exploits all vulnerable computers by using the Eternal Blue exploit.

WannaCry eternal blue exploit capture

local SMB exploitation attempt

The second thread performs a lateral movement by targeting random public IP addresses. The algorithm tries about 25 IP addresses per second. This propagation method could explain why we have no proof of any phishing e-mail. WannaCry can spread very easily because of its implementation. Any vulnerable computer listening for a SMB connection on internet can be infected by WannaCry.

WannaCry internet lateral movement

internet scan on random Internet IP

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
Thanks to the policy system, applications and programs have a limited access to the network.


Execute tasksche.exe

The binary “tasksche.exe” is extracted from the resource of the main process (mssecsvc.exe) and executed with the “/i” argument.

Filenametasksche.exe
FiletypeExecutable
Size (Bytes)3 514 368
Compilation date01 august 2017
HashMD5: 84c82835a5d21bbcf75a61706d8ab549
SHA1: 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SignatureNone
Virus totaltasksche.exe
Information about tasksche.exe

For persistence purposes, this binary copies itself in the ProgramData folder in a folder with a pseudo random name based on the computer name: C:\ProgramData\swjwogwnbof758\tasksche.exe

Then, this program will create and execute a service with the same randomly generated string as name.

WannaCry taskche service details

Service with random name created by taskche.exe

After starting the service, the main taskche program checks if the mutex “Global\MsWinZonesCacheCounterMutexA” exists. This mutex allows to check if the process is already started or not. If it exists, the process will terminate itself.

The new service creates a registry key “HKLM\\SOFTWARE\\WanaCrypt0r\\wd” (or “HKCU\\SOFTWARE\\WanaCrypt0r\\wd” if not admin) with the path of the current process as value. This registry key allows to save the path and reload it when the process starts again.

A ZIP resource is extracted in the current folder, this file is password protected with the password “WNcry@2ol7”.

b.wnryNew wallpaper set by the malware
c.wnryconfiguration file
r.wnryFAQ about the situation
s.wnryZIP file with tor inside
t.wnryEncrypted file
u.wnryWindows binary file
msgFolder with paiement instruction in multiple language in rtf file
taskdl.exeWindows binary file
taskse.exeWindows binary file
Content of the ZIP file contained in (Ressource named 'XIA') and extracted by tasksche.exe with the password "WNcry@2ol7"

The hidden attribute is set to the current folder.

attrib +h .

The ACLs are modified to allow everyone to access the current folder.

icalcs . /grant Everyone:F /T /C /Q

SAFE-Cyberdefense SAFE Endpoint will block this step of the attack
The analysis engine will detect this file as malicious and the process will never be executed.


Load a DLL in memory to crypt personal data

The file “t.wnry” extracted from the resources of taskche.exe is an AES encrypted DLL which is the cryptographic part of the ransomware.

Filenamet.wnry
Filetypewnry
Size (bytes)65 816
Compilation dateNone
HashMD5: 5dcaac857e695a65f5c3ef1441a73a8f
SHA1: 7b10aaeee05e7a1efb43d9f837e9356ad55c07dd
SHA256: 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
SignatureNone
Virus totalt.wnry
information about t.wnry

The DLL is decrypted, mapped in memory and the IAT table is rebuilt to get the final DLL.

FilenameNone
FiletypeDLL
Size (bytes)65 536
Compilation date14 july 2009
HashMD5: f351e1fcca0c4ea05fc44d15a17f8b36
SHA1: 7d36a6aa8cb6b504ee9213c200c831eb8d4ef26b
SHA256: 1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830
SignatureNone
Virus totalDecrypted DLL
Information about the decrypted DLL

Once the DLL is loaded, the targeted files will be encrypted using AES. Below is the list of targeted extensions:
.der .pfx .key .crt .csr .p12 .pem .odt .ott .sxw .stw .uot .3ds .max .3dm .ods .ots .sxc .stc .dif .slk .wb2 .odp .otp .sxd .std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .sql .accdb .mdb .db .dbf .odb .frm .myd .myi .ibd .mdf .ldf .sln .suo .cs .c .cpp .pas .h .asm .js .cmd .bat .ps1 .vbs .vb .pl .dip .dch .sch .brd .jsp .php .asp .rb .java .jar .class .sh .mp3 .wav .swf .fla .wmv .mpg .vob .mpeg .asf .avi .mov .mp4 .3gp .mkv .3g2 .flv .wma .mid .m3u .m4u .djvu .svg .ai .psd .nef .tiff .tif .cgm .raw .gif .png .bmp .jpg .jpeg .vcd .iso .backup .zip .rar .7z .gz .tgz .tar .bak .tbk .bz2 .PAQ .ARC .aes .gpg .vmx .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .snt .onetoc2 .dwg .pdf .wk1 .wks .123 .rtf .csv .txt .vsdx .vsd .edb .eml .msg .ost .pst .potm .potx .ppam .ppsx .ppsm .pps .pot .pptm .pptx .ppt .xltm .xltx .xlc .xlm .xlt .xlw .xlsb .xlsm .xlsx .xls .dotx .dotm .dot .docm .docb .docx .doc

Encrypted files will be renamed with the “.WNCRY” extension and a ransom note will be dropped at each location where files have been encrypted.

  SAFE Endpoint will block this step of the attack
The data protection provided by the agent permit to protect data files against malicious access


Execute @WanaDecryptor@.exe

@WanaDecryptor@.exe is the user interface of WannaCry which gives information about payment procedure to decrypt targeted data.

Filename@WanaDecryptor@.exe
FiletypeExecutable
Size (bytes)245 760
Compilation date14 July 2009
HashMD5: 7bf2b57f2a205768755c07f238fb32cc
SHA1: 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256: b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SignatureNone
Virus total@WanaDecryptor@.exe
Information about @WanaDecryptor@.exe

 

WannaCry user interface

Wanadecryptor User Interface

The decryptor asks for a ransom of $300 to decrypt all encrypted files.
After 3 days, the ransom costs $600.
After 7 days the encrypted data will be destroyed.

To pay the ransom, a bitcoin address is provided. The bitcoin address comes from the file c.wnry which contains three different bitcoin addresses:

Currently, the total number of bitcoins received on these addresses is 52 which represents a total amount of $104,000 (may 2017).

The Windows API function SystemParametersInfo is then called to change the wallpaper and give some information about the process to get the data back.

WannaCry wallpaper

Wallpaper set by Wannacry

To perform the payment checks, a Zip containing a Tor bundle is extracted. The Tor process tor.exe is then copied as taskhsvc.exe and executed.

  SAFE Endpoint will block this step of the attack
The analysis engine will detect this file as malicious and the process will never be executed.


Start a Tor connection by executing taskhsvc.exe

This process connects to Tor in order to get back the private key if the payment is validated. The config file c.wnry stores a list of onion servers.

Filenametaskhsvc.exe
FiletypeExecutable
Size (bytes)3 098 624
Compilation date01 January 2000
HashMD5: fe7eb54691ad6e6af77f8a9a0b6de26d
SHA1: 53912d33bec3375153b7e4e68b78d66dab62671a
SHA256: e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SignatureNone
Virus totaltaskhsvc.exe
Information about taskhsvc.exe

Onion URL extracted from c.wnry:

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

  SAFE Endpoint will block this step of the attack
Thanks to the policy system, applications and programs have a limited access to the network.


Persistence mechanism

The decryptor creates a shortcut at the same location as the encryted files using a batch script which creates and executes a VB script.

@echo off
echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
echo SET om = ow.CreateShortcut(“@WanaDecryptor@.exe.lnk")>> m.vbs
echo om.TargetPath = "@WanaDecryptor@.exe">> m.vbs
echo om.Save>> m.vbs
cscript.exe //nologo m.vbs
del m.vbs

The executable which loads and starts the ransomware DLL is set at boot start using the following command:

cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v "[ID]" /t REG_SZ /d “\"tasksche.exe\"" /f

  SAFE Endpoint will block this step of the attack
The SAFE Agent limits access to Cmd and other administration tools to prevent malicious activities.


Backup corruption

To force the user to pay the ransom, Windows backups are deleted and the Windows automatic repair tool is disabled.
To perform this, the following line is executed by @WanaDecryptor@.exe:

Cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Delete file backups using vssadmin and wmic:
vssadmin delete shadows /all /quiet & wmic shadowcopy delete

Disable automatic repair at windows boot with bcdedit:
bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no &

Delete backup catalogs using wbadmin:
wbadmin delete catalog -quiet

  SAFE Endpoint will block this step of the attack
The SAFE Agent limits the access to sensitive administration tools to prevent anormal system modification.


Conclusion

The particularity of the WannaCry ransomware is the use of the recent exploit “Eternal Blue” published by the Shadow brokers. This exploit allowed the malware to spread very fast on the local network and on the internet by targeting random IP addresses. This spreading method could explain why no e-mail has been found to prove that a phishing campaign is the origin of the cyberattack.

We also know that WannaCry can bypass traditional sandbox by checking an unregistered domain on the internet. In fact, this method allows to bypass some basic analysis system but this bypass can also be used to stop the spreading of the cyber-attack if the domain becomes registered. One day after the attack is detected, the domain requested in the sandbox evasion has been bought and the spreading has been highly slowed. Without this kill switch WannaCry would be able to continue its spreading and would cause more and more damage.

WannaCry may have links with North-KoreaThanks to a tweet of a famous french hacker, we know that WannaCry has some very similar parts of code as another malware called Contopee. This malware has been developed by the Lazarus group which is involved in many cyberattacks like the Sony Pictures Breach in 2014. At the end of 2014, the FBI concluded that North-Korea is responsible for the Sony Breach. WannaCry is maybe developed by the Lazarus group but we still don’t know if the Lazarus group is independant or affiliated to North-Korea.

Thanks to the multi-layered security protection provided by the SAFE product, WannaCry was easily caught and blocked by our Agent. The association of our multiple technologies allows us to provide the best protection against ransomwares and other cyberattacks.