About one month ago, the Shadow Brokers hacker group published a set of NSA hacking tools, that included zero-day exploits. One of these exploits is known as the ETERNALBLUE Server Message Block Protocol (SMB) vulnerability (MS17-010).
It was only a matter of time before the inevitable happened. A malware author used this vulnerability to spread ransomware globally, infecting 57,000 computers in more than 150 different countries and shutting down 16 hospitals across the United Kingdom.
Let’s look at the malware analysis of the ransomware known as Wanna Decryptor (a.k.a. ‘WannaCry’) and see what happened.
Analysis
When WanaDecrypt0r (WannaCry) was first analyzed in VMRay Analyzer by one of our customers it generated a maximum VMRay Threat Identifier (VTI) score of 100/100 (the maximum score for malicious behavior). However, when we uploaded the malware again with a standard configuration (including open access to the internet) it came up with a relatively low VTI score. The reason for this is that the malware first does a lookup of the domain “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” to see if it already exists. If the connection to the domain succeeds, the malware exits. Otherwise, if the domain connection fails, it will start the infection.
We can speculate that this mechanism was built by the malware author as a kill switch to control or stop the infection spread. A now-famous malware researcher who goes by the handle @malwaretechblog found this out not long after WannaCry started spreading and registered this domain with the intent to do more research. As a happy side effect, he stopped the ransomware spread in its tracks.
Figure 1: Lookup to see if the domain exists
At the time of the last analysis, the domain was sinkholed (in other words, the malware could connect to the domain but it was controlled by the researcher), hence the low score. As we mentioned earlier, a prior analysis when the domain was unavailable gave a score of 100/100, the maximum score for malicious behavior. Shortly after, our reputation engine blacklisted the file.
With this knowledge, we uploaded the malware again with a different configuration. Under “configure networking” we selected the network configuration “isolate” for all jobs and ran the analysis. As we expected, the VTI score is now much higher at 100/100.
Figure 2: Wanna Decryptor VTI Scores 100/100 on an isolated network
The process graph shows the malware starting hundreds of child processes, which can be confusing, but the main routine is straightforward and very similar to other ransomware. There is one unusual aspect in that this ransomware acts also as a worm. The reason for these hundreds of processes is the ransomware starts an executable instead of a text document after finishing with the encryption of a particular folder.
Figure 3: Wana Decrypt0r Process Graph
In this isolated configuration, the domain check fails and the malware starts running. The first action it does is to start itself as a service with the parameter “-m security”. Then it loads “tasksche.exe” out of the resources and drops it into the system folder. This executable is responsible for the ransomware function of the malware. The started service is the worm component that tries to infect other victims over the network via the ETERNALBLUE SMB vulnerability (MS17-010).
Figure 4: Service scans the network to infect other victims over MS17-010
In the behavior section, we can see a world map that looks like a plague outbreak, caused by the network scan as WannaCry searches for potential victims, that is, machines vulnerable to the SMB exploit.
Figure 5: Wanna Decryptor Behavior Worldmap
These two parts run independently. The encryption routine starts to encrypt every file which has a listed suffix like “pdf”, “doc” or “jpeg” etc.
Figure 6: Partial list of the files encrypted
The encryption routine passes recursively through every folder and encrypts every file that matches the predefined suffix list. If every file in a folder is encrypted it drops a copy of “WanaDecryptor” named “@WanaDecryptor@.exe” into the folder and starts it.
Further, the process “Tasksche.exe” starts “@wanadecryptor@.exe” with the arguments “vs”.
cmd.exe /c start /b @WanaDecryptor@.exe vs
Figure 7: Start “@wanadecrytor@.exe” with argument “vs”
This argument starts a routine that uses the Microsoft tool “Vssadmin” to delete all backups and shadowcopy to make sure there is no way to recover the now-encrypted files on the computer.
vssadmin delete shadows /all /quiet & wmic shadowcopy delete &
bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default}
recoveryenabled no & wbadmin delete catalog -quiet
Figure 8: vssadmin deletes all backups and shadowcopies
To run every time Windows starts (persistence), it also adds a startup @entry to the registry.
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v
“cxhtclkohdy356” /t REG_SZ /d
“\”C:\ProgramData\cxhtclkohdy356\tasksche.exe\”” /f
Figure 9: Add a startup to the registry
After finishing the encryption, a fairly typical ransomware wallpaper is set and a popup dialog tells us that all our files are now encrypted. We are asked to pay an amount of $600 in a few days in order to recover our files.
Figure 10: New wallpaper set by Wanna Decryptor
Figure 11: Wanna Decryptor – Debit Account Dialog
View the Full Wanna Decryptor Ransomware Analysis
References
