Dissecting WannaCry

Below is  brief overview of the inner workings of WannaCry. It is by no means a complete indepth account of what it does, but the inquisitive will learn a little bit without touching any code debuggers.

Enjoy the read!

gerbil (follow me on Twitter: @gerbil)

Dissecting WannaCry

Hi guys.

Before I continue to bore you to death, just a few points:

Firstly, before you read this page thinking you're going to unlock the mysteries of the world or even find the arc of the covenant, that isn't going to happen.
This page is basically a reformatted version of a text dump, i.e. a few of my notes that I took when I examined WannaCry. And I'm not prepared to write an indepth, detailed account with them notes.
So, that means it contains holes, either because I've missed it, didn't think it relevant (at the time), or because I was too lazy to include it, which is probably the main reason. I am only human after all! Cynics will probably read this document and point and poke at it saying things like, "well this bit is wrong," and, "that doesn't happen, what really happens is...". And if so, I DON'T CARE! This is just a brief overview with a bit of explanation about what the ransomware does.

Secondly, I have a day job and I am also a parent, so the reason for this document coming about so late in the day is due to having other commitments.

Thirdly, I don't often document my findings, but my study into WannaCry has gained a bit of interest so thought I'd write this document so as not to keep repeating myself. Using gedit. So apologies for any spelling mistakes, grammatical errors, inconsistencies, slang words etc.

And lastly, I am not a malware hunter nor am I a robot. I do however sometimes look at binaries through an assembler and that is what I have done in this case. I don't claim to know the insides and outs of this malware or even ask questions about it, just as I'd be able to dissect a frog and have no idea what the hell the insides do, but somebody else looking may be able to see things in a different way and know what is going on. The REAL malware hunters, the REAL infosec warriors and the REAL security researchers are the guys to look up to and to thank. Keep up the fight guys, you know who you are! :O)

What this document DOESN'T do:
 - Explain how to decrypt files from an infected machine.
 - Discuss the @WanaDecryptor@.exe, the FREE software that comes with WannaCry! This is because I was only interested in what WannaCry did to files and a computer (this is where the cynics all pipe up, "Ah! Because he couldn't do it", to which I reply, "This is crypto and crypto isn't to be taken light-heartedly. Especially where public and private keys are involved!", to which they reply with something else to which I reply with, "I DON'T CARE!").

Anyway, on with the (boring) show.


What Is WannaCry?
=================
Well, this is a question that I'm sure that everybody on the planet already knows the answer to right now.
In a nutshell, Wannacry is a worm that propogated through the internet and caused a lot mayhem, encrypting files that would be deemed as "important". The only way to get these files back would be to pay $300 worth of Bitcoins to decrypt your files.
It is split into two parts:
 - the worm that used an exploit to propogate through the network
 - a payload that was ransomware, which was WannaCry. This is the bit this document will talk about, not the worm.


During Infection.
=================
When WannaCry is first run, the process take a fair bit of time (about a minute on my VM) before all files are encrypted.
Firstly, it creates a bunch of files in its initial directory:
  b.wnry = background image
  c.wnry = tor browser link
  f.wnry = list of files ("free" list?)
  r.wnry = "your files are encrypted" text
  s.wnry = zip file of tor thingy
  t.wnry = looks like zipped file
  u.wnry = contains RSA2 and "mail to" stuff
  /msg folder and fills this with different files containing shitty message in different languages.

It also creates the following which are crypto key related:
  00000000.eky
  00000000.pky
  00000000.res
And the following that I couldn't be bothered about investigating:
  taskdl.exe
  taskse.exe
  @WanaDecryptor@.exe

Then it creates a batch file that contains the following (but can't remember where it was run - my memory has holes in it):

  @echo off
  echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
  echo SET om = ow.CreateShortcut("%s%s")>> m.vbs
  echo om.TargetPath = "%s%s">> m.vbs
  echo om.Save>> m.vbs
  cscript.exe //nologo m.vbs
  del m.vbs

The following registry entry is created:
  HKEY_LOCAL_MACHINE\SOFTWARE\WanaCrypt0r   but the key I cannot remember. Either sd or md or wd or something.
The following registry entry is read too:
  [insert key here - I can't remember it  - it is the RSA provider key held at "SOFTWARE/Microsoft/Crypto provider" or something]
  ...or just look at this...
  Stack SS:[0012F7B8]=001546A0, (ASCII "SOFTWARE\Microsoft\Cryptography\Defaults\Provider\")
  EDI=00154730, (ASCII "Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)")

Also, the computer name and also user accounts (S-1-5-etc.) are read and stored.
  0012F39C   0012F3A8  šó .  UNICODE "S-1-5-XX-XXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXX" (no, the X's weren't on the original pasting)

So, once these files have been created, the following steps are run for each 'victim' file it wants to encrypt:

• Get size of file.ext (in hex) 
• Get times of file.ext (creation,access,modify)
• Reads 8 bytes from file
• Creates file.ext.WNCRYT
• Writes 8 bytes containing "WANACRY!" to file.ext.WNCRYT
• Writes 4 bytes containing hex "00 01 00 00" to file.ext.WNCRYT (this didn't change in my tests)

     0012E008  00 01 00 00                                      . ..

• Writes 0x100 (256) bytes to file.ext.WNCRYT (obviously, this changes) 

  0012DE00  44 12 4B E6 3E C0 E6 F2 C9 14 4A 82 86 2E 8E B4  D Kæ>ÀæòÉ J‚†.ŽŽ
  0012DE10  84 0B 71 B2 14 87 F2 36 D9 B5 79 F3 9F 0E 64 FC  „ q² ‡ò6ÙµyóŸ dü
  0012DE20  C6 A5 28 DA 34 75 91 10 64 78 B5 9F 22 3A C3 02  Æ¥(Ú4u‘ dxµŸ":Ã
  0012DE30  1E B7 96 27 56 C9 EA 94 B6 06 3C 1D 57 5D 81 8B  ·–'VÉꔶ < W]‹
  0012DE40  31 59 0B D7 5C 03 FE B7 73 C7 BE 4F 62 EB C9 E9  1Y ×\ þ·sÇŸObëÉé
  0012DE50  E1 19 7B 1E 4F A0 09 9D 8C B6 4B 2B BB 7B 93 6F  á { O .Œ¶K+»{“o
  0012DE60  DF FC 4F 68 FA 70 76 CE 40 13 6D FC 0B EB 81 1F  ßüOhúpvÎ@ mü ë
  0012DE70  6D 0E EB 18 B9 7C 57 98 DE F9 25 BD 5B D3 C5 AA  m ë ¹|W˜Þù%œ[ÓŪ
  0012DE80  5A 6F A8 A4 C8 28 A3 9F 02 FF EA 0B 1E 05 6A 10  Zoš€È(£Ÿ ÿê j
  0012DE90  88 58 72 42 2E C5 3C 28 B0 0C BD 49 7F 4D 16 23  ˆXrB.Å<(°.œIM #
  0012DEA0  91 21 7D 5F D1 10 D8 71 82 36 20 46 95 EB 59 6D  ‘!}_Ñ Øq‚6 F•ëYm
  0012DEB0  56 D1 82 1C 6A 22 E3 CB B1 E2 08 AF D3 E7 17 19  VÑ‚ j"ã˱⠯Óç
  0012DEC0  43 8F 7F F1 74 FF E4 FC 47 62 74 A1 0D 93 9F 85  CñtÿäüGbt¡.“Ÿ…
  0012DED0  E7 C7 FC 2C A5 33 70 33 A0 05 85 6B 7D 21 58 E1  çÇü,¥3p3  …k}!Xá
  0012DEE0  E0 51 FC DC 46 53 E8 CE 7E FF 41 9D 02 30 07 8A  àQüÜFSèÎ~ÿA 0 Š
  0012DEF0  4D FB 31 1A 30 23 13 43 A5 39 18 7E AB A0 71 8E  Mû1 0# C¥9 ~« qŽ

• Writes 4 bytes to file.ext.WNCRYT

  (guessing it was 04 00 00 00) or something, maybe a counter?

• Writes 8 bytes (size of file as this matches original file count in hex) to file.ext.WNCRYT

  0012E034  13 00 00 00 00 00 00 00                          .......

• Reads 1048576 bytes from file.ext (guessing this is done in "blocks", a bit like several encryption algorithms... 😉)

• ***ENCRYPTION OCCURS*** follow:
•   10002055    E8 E6480000     CALL 10006940 
• ***** AFTER ENCRYPTION *****

• Writes 32 bytes to file.ext.WNCRYT

  01570020  75 6F A7 CE 5A BD 5F 84 38 47 39 AF 7C 4B 70 68  uo§ÎZœ_„8G9¯|Kph
  01570030  79 E9 63 18 3C 6B CC 5E 83 E3 12 3A B2 A4 01 09  yéc <kÌ^ƒã :²€ .

• Sets the file time of file.ext.WNCRYT to what was stored earlier
• Closes file handle for file.ext
• Changes extension from file.ext.WNCRYT to file.ext.WNCRY
• Sets file attributes of file.ext.WNCRY to "NORMAL" 
• Reopens file.ext  
• Gets file size of file.ext
• Uses CryptGenRandom with the below to acquire data the size of file.

  0016DD10  46 FB 00 68 17 F0 00 68 B1 AF 00 68 86 D0 00 68  Fû.h ð.h±¯.h†Ð.h
  0016DD20  60 94 00 68 38 96 00 68 22 9A 00 68 24 BA 00 68  `”.h8–.h"š.h$º.h
  0016DD30  8A BF 00 68 8E 6C 00 68 00 71 00 68 BA 74 00 68  Š¿.hŽl.h.q.hºt.h
  0016DD40  56 7E 00 68 A0 7F 00 68 D1 82 00 68 22 DA 00 68  V~.h .hÑ‚.h"Ú.h
  0016DD50  0A DF 00 68 A7 D7 00 68 62 95 00 68 6D 9E 00 68  .ß.h§×.hb•.hmž.h
  0016DD60  9C 9F 00 68 6F A5 00 68 91 C8 00 68 00 00 00 00  œŸ.ho¥.h‘È.h....
  0016DD70  AE AA 00 68 2E 85 00 68 00 00 00 00 00 00 00 68  ®ª.h.….h.......h
  0016DD80  4C A2 4F E3 11 11 11 11 01 00 00 00 01 00 00 00  L¢Oã ... ...
  0016DD90  AB AB AB AB AB AB AB AB 00 00 00 00 00 00 00 00  ««««««««........
  0016DDA0  0C 00 13 00 CF 07 1E 00                          .. .Ï .
  ....which, in this example, returns 0x13 (19) bytes:
  000EE324  F3 4C 12 35 C5 5F E3 41 30 8A B5 F5 E0 2A FB C4  óL 5Å_ãA0Šµõà*ûÄ
  000EE334  63 F3 DF                                         cóß

• Writes "random" data to file.ext
• Flushes file buffer of file.ext 
• Set file pointer to 0 null 
• Writes "random" data to file (again)? - makes no difference to file or timestamp. 
• Close file handle.

So, in a nutshell it: copies an encrypted version of the file encapsulated with its own details of the file then overwites the original file with random data before deleting it. Sneaky bastards trying to get round those wanting to get back the file with forensic software such as Foremost and Scalpel. 

And I think that's about it.

But guess what? From my tests (about 5 or maybe 6 runs) I found that the ONLY files that were affected were files on the host machine. Files on a connected thumbdrive were left untouched!

Which files are affected?
==========================
WannaCry only targets files that have the following extensions:

  .der  .pfx  .key  .crt  .csr  .p12
  .pem  .odt  .ott  .sxw  .stw  .uot 
  .3ds  .max  .3dm  .ods  .ots  .sxc 
  .stc  .dif  .slk  .wb2  .odp  .otp 
  .sxd  .std  .uop  .odg  .otg  .sxm 
  .mml  .lay  .lay6 .asc  .sqlite3 
  .sqlitedb .sql  .accdb  .mdb  .db
  .dbf  .odb  .frm  .myd  .myi  .ibd 
  .mdf  .ldf  .sln  .suo  .cs .c  .cpp 
  .pas  .h  .asm  .js .cmd  .bat  .ps1 
  .vbs  .vb .pl .dip  .dch  .sch  .brd 
  .jsp  .php  .asp  .rb .java .jar  .class 
  .sh .mp3  .wav  .swf  .fla  .wmv  .mpg 
  .vob  .mpeg .asf  .avi  .mov  .mp4  .3gp 
  .mkv  .3g2  .flv  .wma  .mid  .m3u  .m4u 
  .djvu .svg  .ai .psd  .nef  .tiff .tif 
  .cgm  .raw  .gif  .png  .bmp  .jpg  .jpeg
  .vcd  .iso  .backup .zip  .rar  .7z .gz .tgz 
  .tar  .bak  .tbk  .bz2  .PAQ  .ARC  .aes 
  .gpg  .vmx  .vmdk .vdi  .sldm .sldx .sti 
  .sxi  .602  .hwp  .snt  .onetoc2  .dwg 
  .pdf  .wk1  .wks  .123  .rtf  .csv  .txt 
  .vsdx .vsd  .edb  .eml  .msg  .ost  .pst 
  .potm .potx .ppam .ppsx .ppsm .pps  .pot 
  .pptm .pptx .ppt  .xltm .xltx .xlc  .xlm 
  .xlt  .xlw  .xlsb .xlsm .xlsx .xls  .dotx
  .dotm .dot  .docm .docb .docx .doc
And that's about it.

Thanks for reading.

If I decide to investigate further then I will send updates via Twitter.

All the best,

gerbil.
@gerbilByte

CREDITS
=======
Kudos to Hacker Fantastic (@hackerfantastic) for providing the wcry2.0 sample.


Extra Stuff I just thought I'd dump in this document====================================================
When looking through my notes from the investigation, I noticed the following, but I can't remember exactly where this was run (it was over a week ago), but thought I'd add it anyway...

Kill some services:
100058D3    6A 00           PUSH 0
100058D5    6A 00           PUSH 0
100058D7    68 74D80010     PUSH 1000D874                            ; ASCII "taskkill.exe /f /im Microsoft.Exchange.*"
100058DC    E8 9FB7FFFF     CALL 10001080
100058E1    6A 00           PUSH 0
100058E3    6A 00           PUSH 0
100058E5    68 54D80010     PUSH 1000D854                            ; ASCII "taskkill.exe /f /im MSExchange*"
100058EA    E8 91B7FFFF     CALL 10001080
100058EF    6A 00           PUSH 0
100058F1    6A 00           PUSH 0
100058F3    68 30D80010     PUSH 1000D830                            ; ASCII "taskkill.exe /f /im sqlserver.exe"
100058F8    E8 83B7FFFF     CALL 10001080
100058FD    6A 00           PUSH 0
100058FF    6A 00           PUSH 0
10005901    68 0CD80010     PUSH 1000D80C                            ; ASCII "taskkill.exe /f /im sqlwriter.exe"
10005906    E8 75B7FFFF     CALL 10001080
1000590B    6A 00           PUSH 0
1000590D    6A 00           PUSH 0
1000590F    68 ECD70010     PUSH 1000D7EC                            ; ASCII "taskkill.exe /f /im mysqld.exe"
Bitcount Wallets:
00401EB0    C745 F4 88F4400>MOV DWORD PTR SS:[EBP-C],wcry.0040F488   ; ASCII "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94"
00401EB7    C745 F8 64F4400>MOV DWORD PTR SS:[EBP-8],wcry.0040F464   ; ASCII "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw"
00401EBE    C745 FC 40F4400>MOV DWORD PTR SS:[EBP-4],wcry.0040F440   ; ASCII "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn"

File types affected:
See above.

Files/libraries read (on my system):
C:\WINDOWS\system32\attrib.exe
C:\WINDOWS\system32\rsaenh.dll
C:\WINDOWS\system32\crypt32.dll
C:\WINDOWS\WindowsShell.Manifest
advapi32.dll

Something but probably nothing dumps:
00003b910   20 20 20 20 20 20 70 75 62 6c 69 63 4b 65 79 54         publicKeyT
00003b920   6f 6b 65 6e 3d 22 36 35 39 35 62 36 34 31 34 34   oken="6595b64144
00003b930   63 63 66 31 64 66 22 0d 0a 20 20 20 20 20 20 20   ccf1df"..

00401BB2  |.  6A 63         PUSH 63                                  ; /WideBufSize = 63 (99.)
00401BB4  |.  F3:AB         REP STOS DWORD PTR ES:[EDI]              ; |
00401BB6  |.  66:AB         STOS WORD PTR ES:[EDI]                   ; |
00401BB8  |.  8D85 38FFFFFF LEA EAX,DWORD PTR SS:[EBP-C8]            ; |
00401BBE  |.  50            PUSH EAX                                 ; |WideCharBuf
00401BBF  |.  6A FF         PUSH -1                                  ; |StringSize = FFFFFFFF (-1.)
00401BC1  |.  68 ACF84000   PUSH wcry.0040F8AC                       ; |StringToMap = "koaycinczf058"
00401BC6  |.  6A 00         PUSH 0                                   ; |Options
00401BC8  |.  6A 00         PUSH 0                                   ; |CodePage = CP_ACP
00401BCA  |.  FF15 78804000 CALL DWORD PTR DS:[<&KERNEL32.MultiByteT>; \MultiByteToWideChar

1000D563  74 20 52 45 47 5F 53 5A 20 2F 64 20 22 5C 22 25  t REG_SZ /d "\"%
1000D573  73 5C 22 22 20 2F 66 00 00 48 4B 43 55 5C 53 4F  s\"" /f..HKCU\SO
1000D583  46 54 57 41 52 45 5C 4D 69 63 72 6F 73 6F 66 74  FTWARE\Microsoft
1000D593  5C 57 69 6E 64 6F 77 73 5C 43 75 72 72 65 6E 74  \Windows\Current
1000D5A3  56 65 72 73 69 6F 6E 5C 52 75 6E 00 00 25 73 20  Version\Run..%s
1000D5B3  25 73 00 00 00 74 61 73 6B 73 65 2E 65 78 65 00  %s...taskse.exe.

0012F4C8   0012F4D4  Ôô .  UNICODE "\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernel32"

004074CB - function call with arg WNcry@2o17

00420FD0  63 6D 64 2E 65 78 65 00 2F 63 20 76 73 73 61 64  cmd.exe./c vssad
00420FE0  6D 69 6E 20 64 65 6C 65 74 65 20 73 68 61 64 6F  min delete shado
00420FF0  77 73 20 2F 61 6C 6C 20 2F 71 75 69 65 74 20 26  ws /all /quiet &
00421000  20 77 6D 69 63 20 73 68 61 64 6F 77 63 6F 70 79   wmic shadowcopy
00421010  20 64 65 6C 65 74 65 20 26 20 62 63 64 65 64 69   delete & bcdedi
00421020  74 20 2F 73 65 74 20 7B 64 65 66 61 75 6C 74 7D  t /set {default}
00421030  20 62 6F 6F 74 73 74 61 74 75 73 70 6F 6C 69 63   bootstatuspolic
00421040  79 20 69 67 6E 6F 72 65 61 6C 6C 66 61 69 6C 75  y ignoreallfailu
00421050  72 65 73 20 26 20 62 63 64 65 64 69 74 20 2F 73  res & bcdedit /s
00421060  65 74 20 7B 64 65 66 61 75 6C 74 7D 20 72 65 63  et {default} rec
00421070  6F 76 65 72 79 65 6E 61 62 6C 65 64 20 6E 6F 20  overyenabled no
00421080  26 20 77 62 61 64 6D 69 6E 20 64 65 6C 65 74 65  & wbadmin delete
00421090  20 63 61 74 61 6C 6F 67 20 2D 71 75 69 65 74 00   catalog -quiet.
004210A0  76 73 00 00 63 6F 00 00 66 69 00 00 31 33 41 4D  vs..co..fi..13AM
004210B0  34 56 57 32 64 68 78 59 67 58 65 51 65 70 6F 48  4VW2dhxYgXeQepoH
004210C0  6B 48 53 51 75 79 36 4E 67 61 45 62 39 34 00 00  kHSQuy6NgaEb94..

0040F4B0  00 00 00 00 47 6C 6F 62 61 6C 5C 4D 73 57 69 6E  ....Global\MsWin
0040F4C0  5A 6F 6E 65 73 43 61 63 68 65 43 6F 75 6E 74 65  ZonesCacheCounte
0040F4D0  72 4D 75 74 65 78 41 00 74 61 73 6B 73 63 68 65  rMutexA.tasksche
0040F4E0  2E 65 78 65 00 00 00 00 54 61 73 6B 53 74 61 72  .exe....TaskStar
0040F4F0  74 00 00 00 74 2E 77 6E 72 79 00 00 69 63 61 63  t...t.wnry..icac
0040F500  6C 73 20 2E 20 2F 67 72 61 6E 74 20 45 76 65 72  ls . /grant Ever
0040F510  79 6F 6E 65 3A 46 20 2F 54 20 2F 43 20 2F 51 00  yone:F /T /C /Q.
0040F520  61 74 74 72 69 62 20 2B 68 20 2E 00 57 4E 63 72  attrib +h ..WNcr
0040F530  79 40 32 6F 6C 37 00 00 2F 69 00 00 01 00 00 00  y@2ol7../i.. ...