CSP-CERT® Malware Research:
WannaCry?

by CSP-CERT® Research Science
posted May 2017

On May 12, a new ransomware rapidly infected systems globally. This new campaign has a worm component to it that exploits using the EternalBlue SMB vulnerability (https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/). This combination has led to a rapid spread of the ransomware across organizations all over the globe including Philippines.



It has 2 parts, the spreading and the ransomware mechanism. The whole package is about 3 MB.




Ransomware Dropper and the Worm Component

Code starts by checking this site:

www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com


If the site can't be accessed
        Proceed
Else
        Bye


Site was registered and sinkholed. This was the kill switch everybody was talking about.

BUT, since INTERNET_OPEN_TYPE_DIRECT was used in InternetOpenA, Windows requiring proxy for internet connection still gets the ransomware.



Initially, it spawns another copy of itself as a system service bearing the name "mssecsvc2.0" but uses the arguments "-m security"



Afterwards, embedded from its resource section, it drops and executes a 3 MB file as c:\windows\tasksche.exe <-- this is the ransomware component.




Propagation

Rerunning itself with the "-m security" makes it run on a different mode. Though it is not necessarily requiring "-m security" as its command line parameters but as long as there are a count of 2 arguments, the malware proceeds to its propagation mode.

The propagation happens in LAN (local) then in WAN (public).




LAN Propagation

For every network adapter, all associated IP addresses are collected. It builds a /24 network mask table of addresses for every IP address it collected. For example, the collected IPv4 is 10.10.10.5, it builds 10.10.10.1 to 10.10.10.254.

Only 10 IP addresses are processed at the same time. Most likely preventing too much noise in the network for IT admins to notice.




WAN Propagation

In this propagation mode, a randomly public IP is generated. All 4 octets are randomly generated. However, the first octet has some conditions:

  • Should not be equal to 12
  • It should be less than 224

Of course all the generated octets should be less than 255.Only 128 public IP addresses are targeted every time the WannaCry is executed.



WannaCry uses M17-010 aka ETERNALBLUE to make its propagation. ETERNALBLUE is an exploit on the SMB1 service commonly associated with port 445. https://en.wikipedia.org/wiki/EternalBlue



During the actual propagation on a target IPv4 address, it only makes 5 attempts to negotiate and send malformed packets. In the case of a successful infiltration on the target, a response is received bearing the value 0x51.



It now follows up sending about 4 kilobytes of base64 looking data. Probably for heap spraying.



And finally sends the series of DOUBLEPULSAR shellcode and data packets. https://en.wikipedia.org/wiki/DoublePulsar



The image below is the disassembled DOUBLEPULSAR shellcode. (TODO: Windbg shellcode at target. Shellcode contains MSR ops.)



And finally, it sends the encrypted copy of this malware file. (used simple XOR)



What to do here?

  • IDS rule against ETERNALBLUE or better yet for DOUBLEPULSAR since EternalRocks uses various exploits but did not change the DOUBLEPULSAR
  • Forget SMB1
  • Get patched (Microsoft released patches for XP and 2003 in spite of being in EOL support)

This vulnerability affects SMB1. Why do people still use SMB1?

  1. Still uses XP and server 2003. – Upgrade ASAP or else you’re at risk.
  2. Software requiring "Network Neighborhood".
  3. Old Scanners and Printers.



Ransomware component

  • Creates a copy of itself in %ProgramData%\<random_string>\tasksche.exe
    • Random string based on computer name. This is somewhat fixed string per computer name.
  • Runs the copy as a service
  • Kill switch mutex check
    • If mutex name "Global\\MsWinZonesCacheCounterMutexA0" exists, then bye
  • Extracts a password protected zip archive from its resource section. Password is [email protected]







  • File inspections
    b.wnry Bitmap file containing ransomware notes. Set as desktop background.
    c.wnry Configuration file. Contains onion, download links, and bitcoin wallets.
    r.wnry Contains ransomware notes filled up from c.wnry.
    s.wnry ZIP archive file containing Tor program.
    t.wnry Encrypted data containing stored RSA-AES key and DLL that contains most of the ransomware codes. Magic header = WANACRY!
    u.wnry Win32 PE EXE file which is the Wanna Decryptor.
    taskdl.exe Tool used to delete .WNCRYT files including the $RECYCLE folder.
    taskse.exe Tool used to execute programs passed in its arguments.
    msg Folder containing more wnry files which are actually RTFs
  • Hides and grants Everyone full access to the parent folder where this ransomware file was executed by running these commands
    • attrib +h .
    • icacls . /grant Everyone:F /T /C /Q
  • Import APIs and Keys
  • Extracts key and DLL from t.wnry
  • DLL is directly loaded in an allocated memory and initialized by calling DLL entry point
  • DLL contains an export named "TaskStart"
  • It passes control to the TaskStart export
  • Creates this mutex name: "MsWinZonesCacheCounterMutexA"
  • Attempt to create this registry entry
    HKEY_CURRENT_USER\Software\WanaCrypt0r
    wd = <folder of this running malware>
  • In case it fails, it will create this instead
    HKEY_LOCAL_MACHINE\Software\WanaCrypt0r
    wd = <folder of this running malware>
  • Sets up persistence. Creates a thread that runs this command line in a loop.
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "<random_string>" /t REG_SZ /d "\"<full path of this running malware>\"" /f
  • Copies u.wnry as @[email protected]
  • Creates and runs a batch file that creates and runs a vbs script that creates an LNK file that points to @[email protected]



  • Stores encryption and decryption keys in
    00000000.eky
    00000000.dky
  • Another kill switch mutex check before it proceeds to actual file encryption: Global\MsWinZonesCacheCounterMutexW
  • Else, creates this mutex name: Global\MsWinZonesCacheCounterMutexW0
  • Begins searching for files to encrypt
    • Searches logical drives, including mapped drives
    • Recursively searches folders from the root directory
      • Skips folder paths with these strings:
        • "Content.IE5"
        • "Temporary Internet Files"
        • "This folder protects against ransomware. Modifying it will reduce protection"
        • "\AppData\Local\Temp"
        • "\Intel"
        • "\Local Settings\Temp"
        • "\Program Files", "\Program Files (x86)"
        • "\ProgramData"
        • "\WINDOWS"
    • Searches files in a folder and encrypt
      • Skips files with these file name extension
        • .WNCRY
        • .exe
        • .dll
      • Skips these files
      • @[email protected]
      • @[email protected]
      • @[email protected]
      • Targets files with these file name extension
        • .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
  • Encryption of target file
    • Reads the contents of the file to an allocated memory buffer
    • Encrypts the buffer
    • Creates a file using the target’s filename appending a .WNCRYT. i.e. Confidential.docx.WNCRYT
    • Writes “WANACRY!” as the encrypted file’s magic header signature to the .WNCRYT file
    • Writes the encrypted buffer to the to the .WNCRYT file
    • If everything was successfully written in the .WNCRYT file, it deletes the target file
    • Renames the .WNCRYT file to .WNCRY using MoveFile API.
  • For every folder that contains encrypted files, it drops these previously created files:
  • Creates a thread that runs taskdl.exe in a loop. This would most likely be its clean up routine for removing .WNCRYT files.
  • Creates a thread that runs @[email protected] in a loop.
  • Then finally changes the desktop background to:



  • Runs the Wanna Decryptor with the “vs” switch.
    • cmd.exe /c start /b @[email protected] vs
    • This executes deleting shadow copies:
      runas /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet


Reference:

MD5 db349b97c37d22f5ea1d1841e3c89eb4