WannaCry Ransomware
The WannaCry Ransomware attack was one of the most damaging in history, infecting over 300,000 computers and encrypting their data. This malware used an exploit originally developed by the NSA, then was unfortunately leaked and used to develop WannaCry. This malwares goal is to infect the machine using the Eternal Blue vulnerability, to encrypt the files, to spread out as far as possible through the network, and to hold devices/files ransom for a bitcoin payment.
This malware was particularly damaging as it involved a vulnerability that was built into Windows OS. Microsoft did release an update that fixed this vulnerability even before the malware was spread, but as we know a lot of devices are kept out of date. Just another reason we should keep our computers up to date. This virus originally spread in 2017, and has been analyzed plenty of times by professionals much more talented than me, and I thought it would be a great place to start malware analysis. Below I left some links to learn about the WannaCry malware, Eternal Blue Vulnerability, and another great analysis of WannaCry if you’d like to learn more.
https://usa.kaspersky.com/resource-center/threats/ransomware-wannacry
https://attack.mitre.org/software/S0366
https://www.avast.com/c-eternalblue
Static Analysis
This static analysis uses a Malware Analysis Environment to keep me and my devices safe during analysis. You can find instructions on how to set up an environment just like mine in my other post here:
I do not recommend purposely installing malware unless you are sure it is safe to do so and you are in a controlled environment.
We will begin todays analysis by looking at the code that makes up WannaCry malware in static analysis. The first step I took was to use a tool built into FlareVM known as floss. Floss will allow us to view the code that makes up WannaCry malware. I have put a link below if you’d like to learn more about the Floss process.
https://github.com/mandiant/flare-floss
After using the floss command we can open up a specified .txt file to view the code without execution of the malware. In static analysis, we are looking for specific commands to learn more about what the malware wants to accomplish and what processes it will take advantage of. I began by quickly scrolling through the text file and looking for anything useful. The first thing I noticed is the malware looks to manipulate files.
We know the malwares goal was to encrypt files on the PC, and this file manipulation could have something to do with this process. Static analysis was a great way for me to learn some of these Microsoft commands and services. Any of the commands we see can be searched to find their use.
For example: in the second picture, we can see the service: GetComputerNameW By looking at Microsoft’s index of functions, we can see what exactly this command does. Microsofts definition: “Retrieves the NetBIOS name of the local computer. This name is established at system startup, when the system reads it from the registry”
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-getcomputernamew
Static analysis can depend on ones knowledge of these services, and this analysis was great for helping me learn new services and understand the importance they have on our devices.
The next thing I found in the analysis was Cryptographic services. These are important because they deal directly with encryption on the device.
We see two windows services that deal with encryption, and then below we can see a string of base 64 characters. This Base64-encoded data is likely used to represent cryptographic keys, initialization vectors, or encrypted data in a text format for storage or transmission algorithm of the files. At this point it seems this malware deals directly with file manipulation and encryption.
CryptAquireContextA – https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptacquirecontexta
CryptGenRandom – The CryptGenRandom function fills a buffer with cryptographically random bytes. https://learn.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptgenrandom
Here we can see an HTTP link written in the code of the malware. Interestingly enough, this is exactly how the malware was stopped from spreading further. This malware would attempt to connect to this link, which at the time of development was not a registered domain. When this connection failed, the malware would begin malicious actions on the device. After this malware began to spread, a man named Marcus Hutchins took notice of this crucial connection. When this domain was registered, this stopped the malware from running or spreading further. The connection would return successful, and thus the malware would not continue.
This really shows the power of malware analysis, a single user was able to stop one of the most damaging and expensive malware to date simply by preforming some basic analysis and registering a domain. This solution acted as a kill switch to the malware, and stopped the malware from spreading out further. We are still able to see the evidence of this step written into the malware today.
Another interesting discovery I made during this static analysis was the pictured functions. I am not sure what these accomplish, but it does look like they depend the devices SMB version, as there are multiple different sections which each end in a different SMB version. SMB, or Server Message Block, is a service used to communicate with a server, and can allow access to data on servers, and reading/writing data on a server.
Here we see some commands that deal directly with the Registry of the device. This is a sign of malware persistence. Essentially, the malware is likely changing the registry files to allow the malware to run every time the device is turned on. Persistence is a key feature in malware, otherwise any virus could be stopped by restarting a device.
So far, we have discovered some interesting things about the malware. We can see that it is manipulating our files, using encryption algorithms, and making changes to our registry. It is also spreading out across our network using SMB services and attempting to infect other devices.
This list of 3 random strings are bitcoin addresses. This malware had the goal of encrypting a device and then holding the encrypted files for ransom. The ransom would be paid directly to one of these bitcoin addresses. When searching one of the addresses listed in the malware, we can see it has received a total of almost 1.5m USD.
These addresses are not necessarily a sign of malware, and do not help us discover who the author of this malware is. But I would say any time a Bitcoin address is used in the code of an executable, it is not a good sign.
The next discovery I made was an icacls function.
icacls is a Microsoft service that can make changes to Access Control Lists. ACL or Access Control Lists is a networking concept that restricts access to certain data based on privileges. For example, a receptionist at a bank does not need to have access to administrator privileges.
This icacls call then gives us some other information on what the goal is. We can see a list of commands after as well. In order, we see F: Which attempts to give full access, T: preform operation on files, including subdirectories, C: Continue operation despite errors, Q: Suppress all success messages.
It looks like the goal of this command is to spread the malware further by granting us elevated permissions and then spreading the malware around the server. It also helps to hide the malware by suppressing success messages. To learn more about this command and how it was used, you can again check the Mitre Attack web article on WannaCry or read the Microsoft page on the service.
https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/icacls
https://attack.mitre.org/software/S0366
My next step in Static analysis was to use another program called PEStudio, which will give us some useful information.
https://www.varonis.com/blog/pestudio
The first thing to take note of is the top line, which shows the sha256 Hash of this malware version. We can also see the malware shows a signature of Microsoft Linker 6.0. This service, MS Linker, is used to combine files into, or create an .exe or .dll file. Other versions of WannaCry may show a signature of MS Disk Defragmenter, a service that works directly with Encrypting files.
Summary of Analysis
This concludes my static analysis of WannaCry malware. During this analysis, we saw clear evidence of file manipulation and encryption. We also found evidence of how the malware wants to spread, using the icacls function and the SMB service exploits. We also found how the malware wants to achieve persistence, using registry edits to self sustain on the device. Finding the infamous HTTP link that was used to stop the malware, and finding the bitcoin addresses used in the ransomware attack was also very interesting and shows just how powerful static analysis is. While we were not able to directly outline all the different features of the malware, we did directly identify the goals and some of the API functions used to manipulate our device.
This experience was very helpful for me and really helped to further my skillset. Just by examining the code of the malware I learned to identify key behaviors in the malware by observing API functions. Interpreting these functions was a huge part of the analysis, and it shows just how important they are. From a security standpoint, learning about how these functions can be abused is crucial to keep devices secure. This project also helped me learn how cybersecurity experts can dissect malware and learn about its goals and what services it uses. I cant wait to start my next project with this malware in Dynamic Analysis to see what else we can find out and develop my skills further. Thank you so much for reading and please reach out if you have any questions!
Leave a Reply