PotatoPwn
Home Blog
WannaCry Analysis

Table of Contents

This was my analysis on the Wanna-cry ransomware, which I performed while I was studying in the TCM malware analysis lab.

monke



Executive Summary

Md5 - db349b97c37d22f5ea1d1841e3c89eb4

The wannaCry Ransomware abuses the EternalBlue Exploit, thus allowing the malware to gain administrator privileges upon accessing the machine; the Malware checks for other machines within the subnet with ARP calls, creates a hidden folder within C:\ which extracts the TOR browser for bitcoin payment, than encrypts everything that isn’t in SYSTEM32 or essential for the system to run.



High-Level Technical Summary

WannaCry Attempts to connect to hxxp[://]www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, if connection to this url fails, the malware to proceed as normal, encrypting and trying to spread to other host vulnerable to the EternalBlue Exploit. The malware unpacks into C:\, uses task scheduler for persistence, checks for other host within the network, encrypts all files, finally starts scanning random IPs within the WWW for host with this same vulnerability.

Graph



Basic Static Analysis

strings1 Url In plain string text

strings2 icacls command is executed to a file with a hidden attribute

IATS Multiple IAT’s from the kernel32.api is called

IATS Virtual Size and Raw Size are similar, file may not be compressed


Dynamic Analysis

killswitchcheck Checks if it can connect to this url, if it can, it will not execute, if not, execute as normal

arpcall Check other devices within subnet, vulnerability check on local network

zombiescanning Start scanning for hosts on the WWW, allowing it to spread to another host if the vulnerability is found

smbconnect Connect to a malicious and a local SMB using anonymous creds

artifacts Unpacks Tor files here along with ransom notes demanding ransom

Advanced Static Analysis

killswitchcheck Check if it can connect to url, if not continue… confirmed when I switched the “Jump if Not Equal” instruction, and it executed with the opposite condition

failandsuccesscondition Left graph displays instructions if the binary can’t connect to the url, Right graph is if it can connect to the url

Yara Rule

rule Wannacry {

	meta:
		last_updated = "2022-10-24"
		author = "Potatech"
		description = "Were da Wannacry at tho"

	strings:
		$strings1 = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea" ascii
		$strings2 = "WINDOWS"
		$strings3 = "tasksche.exe"
		$PE_magic_byte = "MZ"

	condition:
		$PE_magic_byte at 0 and
		($strings1 and $strings2) or
		($strings1 and $strings3)
			 
}
Written on October 24, 2022




Test Title
Test Description
?/? images