Wannacry : Detailed Analysis ( part 1 of 3 )

Main Launcher: The Killswitch effect

The main launcher has a curious feature, where, before it does anything else, it checks connectivity to a certain domain. Ifthat domain resolves, the binary exits and does nothing further. This has been dubbed the killswitch. The killswitch domains below that have been found so far have been registered by Security Researchers, seehereandhere. This has had the effect of hampering the spread of the malware. Hint: don’t block these domains.

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com

Extracting the Ransomware

If there is no reply from the killswitch domain, it then checks for command line argument, if it is less than two, create a new servicewith Display name: “Microsoft Security Center (2.0) Service” and service name: “mssecsvc2.0”

Next, the WannaCry ransomware is extracted from resource section,then dropped to C:\Windows and anew process is spawned C:\WINDOWS\tasksche.exe.

If command line argument is two or more then it proceeds to open malware service named”mssecsvc2.0″, change the service configuration to “SERVICE_CONFIG_FAILURE_ACTIONS”, then start the service running the propagation function using the SMB exploit.

Scan the networks

Next, one thread is run for scanning local IPs, and 128 threads for scanning public IPs:

For scanning local IPs, It gathers IP addresses using GetAdaptersInfo() API, and then scans the target IP for MS17-010 and transfers the payload if the IP is vulnerable:

For scanning public IP addresses, the malware generates target IP addresses using the CryptGenRandom() API by default, otherwise it uses the rand() function. The randomly generated first octet of the IP address cannotbe equal 127 or >= 224. The second, third and fourth octets arealso randomly generated. It then checks if port 445 of the target IP is open.

If it deemed that port 445 is open, it starts to scan the entire /24 IP range, and then creates a thread for each target IP and attempts to exploit it.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s