Uncovering the Secret of WannaCry - Part 1

Uncovering the Secret of WannaCry - Part 1

Table of Contents

1. Introduction
2. What is WannaCry?
3. Initial Behavior of WannaCry
4. Unpacking WannaCry
   1. Importing the Binary into Ghidra
   2. Analyzing the Functions
   3. Understanding the Entry Function
   4. Examining the Kill Switch Domain
   5. Analyzing the Real Entry
   6. Extracting and Analyzing Embedded Resource
5. Exploring the Strings in the Binary
6. Analyzing the Main WannaCry Binary
7. Creating Hidden Directories and Setting File Attributes
8. Installing the Service and Launching the Binary
9. Handling User-Specified Arguments
10. Creating or Querying Registry Keys
11. Decrypting a Secret ZIP File
12. Examining the Extracted Contents
    1. Background Picture
    2. Text Description and Ransom Note
    3. Data Files and Tor Network Links
13. Conclusion

Unpacking WannaCry

Welcome to the first part of my analyzing WannaCry series. In May 2017, a ransomware attack known as WannaCry wreaked worldwide havoc, infecting over 300,000 computers and targeting companies like Boeing, Hitachi, TSMC, and Renault. In this video, we'll begin unpacking WannaCry and examining its basic behavior. Subsequent videos will Delve into the ransomware and worm modules. The WannaCry sample used in this video can be found in the description, but exercise caution when using it to avoid encrypting your files. Let's start by exploring how WannaCry behaves.

When executed, WannaCry initially appears to do nothing. However, after about 30 seconds, the preview of photos disappears and new files start appearing. Approximately a minute later, the infamous ransomware dialogue box appears, threatening users with file deletion unless a ransom is paid within 7 days. Furthermore, all access to personal files, including pictures, is denied, and the desktop background is replaced with a warning message. Now, let's load WannaCry into Ghidra and delve into its inner workings.

Importing the Binary into Ghidra

To import the WannaCry binary into Ghidra, simply drag and drop the file into the application. Ghidra will detect that the binary is a portable executable (PE) and prompt confirmation. After importing, double-click on the main WannaCry executable file to open it in the code browser. For analysis, enable the decompiler parameters, including the Windows PE propagator. Ignoring any warnings, initiate the analysis to generate the function list.

Analyzing the Functions

Upon examining the function list, we primarily see unnamed functions, without a specific "main" or "win main" function. To identify the entry function, which is executed when the binary is launched, we observe the default entry code generated for Windows executables. Following this code, there is the actual call to the "win main" function, which serves as the main application function. By referencing the Microsoft documentation, we can copy the function signature for "win main" and set it up correctly.

Let's explore the "win main" function. At the beginning of this function, a curious STRING resembling a URL is observed. Renaming the variable to "strange url" and updating its Type to indicate a C string, we Continue analyzing the following lines of code. We encounter several instructions related to string copying, with 4 bytes copied at a time from the "strange url" variable into a memory location represented by the pointer "pu var 3." Renaming "pu var 3" to "strange url copy," and adjusting its type to a C string, clarifies the purpose of this code.

The code then triggers a call to "InternetOpenA," a function used for internet connectivity. Initially, Ghidra lacks the function signature for "InternetOpenA," so we copy the correct signature from the Microsoft documentation. However, we Notice that the documentation mistakenly indicates a void return type for this function, whereas it actually returns an "HINTERNET" type. To rectify this, we modify the signature to reflect the correct return type.

Looking at the full line, we can ascertain that it attempts to request the aforementioned "strange url." If the request fails, resulting in a null handle return, the program closes the handle and calls a function. On successful request, the program simply returns from "win main," concluding its execution. Let's rename the function called in case of request failure to "WannaCry real entry," as it appears to be where the actual tasks are performed.

Conclusion

In this first part of the analyzing WannaCry series, we commenced the unpacking process and examined the initial behavior of the ransomware. We imported the WannaCry binary into Ghidra and analyzed the functions to understand the entry point and the handling of the kill switch domain. Subsequently, we delved into the "real entry" function, which contains the main activities of WannaCry. In the next part of this series, we will extract and analyze an embedded resource, gaining further insights into WannaCry's inner workings. Stay tuned for the next video!

Highlights

• WannaCry was a ransomware attack that severely impacted businesses worldwide in May 2017.
• The ransomware infected over 300,000 computers and targeted major companies like Boeing, Hitachi, TSMC, and Renault.
• Upon execution, WannaCry displays a threatening ransomware dialogue box, encrypts files, and replaces the desktop background.
• Ghidra is a powerful tool for analyzing malware, enabling us to identify and understand the behavior of WannaCry.
• Analyzing anonymous functions and determining the entry point provided insights into WannaCry's operation.
• The "kill switch" URL, originally registered by Marcus Hutchins, played a crucial role in thwarting WannaCry's spread.
• Unpacking WannaCry involves examining its functions and resources, revealing its hidden activities.
• Successful extraction and analysis of an embedded resource uncovered additional details about WannaCry's capabilities.

FAQs

Q: How did WannaCry initially spread? A: WannaCry spread automatically through a vulnerability known as EternalBlue, which targeted outdated versions of the Windows operating system.

Q: What happens if the ransom is not paid within 7 days? A: If the ransom is not paid within the specified timeframe, WannaCry threatens to permanently delete the encrypted files.

Q: How can users protect themselves from WannaCry? A: Users can protect themselves by keeping their operating systems and antivirus software up to date, avoiding suspicious email attachments or downloads, and regularly backing up their important files.