Wannacry Ransomware Unmasked: The Notorious Digital Bandit You Don't Wanna Mess With!
Static Analysis, Dynamic Analysis & Reverse Engineering of the Infamous Wannacry
Alright, folks, get ready to dive headfirst into the twisted world of Wannacry ransomware. This sneaky little bugger caused chaos worldwide, leaving innocent victims scrambling for their digital lives. But fear not! In this blog post, we're gonna break down Wannacry like a high-security prison break. We'll explore file hash analysis, have a laugh at its quirky behaviors, and even uncover its secret encryption routine. So, fasten your seatbelts, and let's ride into the wild world of Wannacry!
File Hash & VT Analysis: Unveiling the Bad Boys
Alright, we've got our detective hats on, and it's time to analyze those file hashes. *Ransomware.wannacry.exe.malz and its evil twin, 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c, are the culprits we're after. And according to VirusTotal, they're infected like a bad case of malware measles! With a score of 70/72 on the infection scale, Wannacry definitely wins the gold medal in the "Worst Houseguest Ever" competition.
Basic Static Analysis: Strings, Secrets, and Path-etic Discoveries
Let's dig into the static analysis, where things get downright interesting. Wannacry is all about running commands with the help of cmd. And guess what? It's got a partner in crime called tasksche.exe, packed with Wannacry's malicious goodness. Who needs good deeds when you can be a packer for ransomware, right? But the fun doesn't stop there. Wannacry shaves share paths like a barber on a mission and even hides in a secret C directory. Talk about playing hide-and-seek with our cybersecurity heroes!
The binary is shaving the share paths of some machines
It has a path in C dir which looks interesting
Various language packages
Basic Dynamic Analysis: The Plot Thickens
Hold onto your hats, folks, 'cause the dynamic analysis is where the action unfolds. When Wannacry detonates, it's like a digital fireworks display. Suddenly, our wallpaper gets a makeover (rude, right?), and a window named "wana decrypt0r 2.0" crashes the party, demanding a hefty ransom to unlock our precious files. And oh, the files! Text, images, you name it—they all get a fancy.WNCRY extension. It's like a twisted fashion show in the malware universe! Everywhere you look, there's "wanadecrypt0r" and "@pleasereadme," as if Wannacry wants to make sure we don't miss any important memos. But here's the kicker: Wannacry won't go full-on encryption frenzy if it can reach a certain host. It's like ransomware's version of checking the weather before unleashing chaos. Smart move, Wannacry, smart move.
Wallpaper is changed
After initial detonation we a window named wana decrypt0r 2.0 asking to pay to decrypt the files in the system.
Most of the text, jpeg, etc files are encrypted. Files are appended with .WNCRY
an extension after initial detonation.
In every directory, we can see wanadecrypt0r
and @pleasereadme
I also found out that there is a trigger condition with wannacry. When we detonate the binary it makes a DNS query to the host www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
if the host is found the encryption routine is not executed otherwise the encryption routine is executed. This implies if inetsim is up then the encryption routine will not be executed.
Host Indicators: The Accomplices Revealed
Wannacry knows how to be the puppet master, and tasksche.exe is its willing minion. This dynamic duo creates staging locations, establishes persistence, and pretty much runs the show. It's like watching a cybercrime sitcom unfold right before our eyes. And let's not forget the hidden directory created using the mighty "attrib" command. It's the secret lair where Wannacry hides its loot, making it a real-life malware mystery to solve. And just when you thought it couldn't get any crazier, Wannacry goes all-in with a malicious service on victim machines. It's the cybercriminal version of "you can check out anytime you like, but you can never leave." Cue eerie music.
We can see that Wannacry is spawning tasksche.exe as a child process to perform the intended routines.
Taskche.exe creates a folder as a staging space for the binary, creating persistence, etc by running attrib, icacls and cscript.
This dir is created by tasksche and used as a staging space for wannacry further inspecting the dir we can find supporting evidence.
Hidden dir is created using attrib
Wannacry creates a malicious service on the victim's machine. Using this malicious service it establishes persistence on the victim.
Network Signatures: Wannacry's Social Skills
Move over, social butterflies! Wannacry is crashing the networking scene with its TCP SYN packets. It's like Wannacry's version of digital small talk, except it's on port 445. This ransomware knows how to make an entrance and spread like wildfire using the EternalBlue exploit. Who needs Facebook when you have Wannacry's social networking skills? It's malware's way of saying, "I'm here, and I'm ready to party!"
Advanced Static Analysis: The Code Breaker's Dilemma
Enter the realm of advanced static analysis, where Wannacry's code becomes the ultimate puzzle. It opens a URL handle, loads a mysterious host, and then decides whether to unleash its encryption routine or exit stage left. It's like watching a suspenseful movie, with conditional jumps and test instructions playing their part. Will the encryption routine take the spotlight, or will Wannacry exit gracefully like a misunderstood cyber artist? Only time will tell!
Summary: The Ransomware Dance
So, what have we learned from Wannacry's wild ride? Well, it turns out that Wannacry is quite picky about its encryption routine. It only dances when the elusive host iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is out of reach. Talk about ransomware with commitment issues! And let's not forget Wannacry's partner in crime, tasksche.exe, performing all the dirty work—persistence, lateral movement, and file encryption. It's like the ultimate bromance, but with a cybercriminal twist!
Conclusion: Outsmarting the Digital Bandit
There you have it, folks! Wannacry ransomware unmasked, analyzed, and served with a side of humor. While Wannacry left a trail of havoc and heartache, let's remember the valuable lessons it taught us. Stay vigilant, keep those security measures up to date, and never underestimate the power of a cybercriminal with a diabolical plan. So, raise your digital shields, fortify your defenses, and let's bid Wannacry farewell—into the abyss of cybersecurity history where it belongs!