Practical Malware Analysis & Triage Malware Analysis Report WannaCry.exe

• Table of Contents
• Tell the World
• Executive Summary
• High-Level Technical Summary
• Malware Composition
• Basic Static Analysis
• Basic Dynamic Analysis
• Advanced Static Analysis
• Advanced Dynamic Analysis
• Indicators of Compromise
• Network Indicators
• Host-based Indicators
• Rules & Signatures
• Appendices

Tell the World

• This was the final task to complete for the PMAT course I took from TCM Security Academy.
• A big thank you to the course creator, Matt Kiely (also known as HuskyHacks), the CEO of TCM Security Heath Adams, and everyone involved in creating this fantastic course.
• Course Link: Practical Malware Analysis & Triage
• My name is Sameer Fakhoury, and this is my malware analysis report.
• I hope you'll enjoy reading it !!

Executive Summary

• MD5 hash: db349b97c37d22f5ea1d1841e3c89eb4
• SHA256 hash: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
• WannaCry.exe is a type of crypto ransomware, a form of malicious software (malware) used by cybercriminals to extort money, typically in the form of bitcoin. This ransomware works by encrypting important files, rendering them unreadable. The main WannaCry.exe executable have packed multiple other executables, containing commands to change file permissions and ownership. It also attempts to connect to a specific URL when executed. If it successfully connects, it remains inactive; however, if it fails to reach the URL, it proceeds to encrypt your files. Additionally, if the URL connection fails, a second stage of the malware is activated, installing related files and binaries in a hidden folder.

High-Level Technical Summary

• This executable operates in two stages. In the first stage, upon execution, it attempts to connect to a specific URL. If the connection is successful, no further action is taken. However, if it fails to connect, a second stage is triggered, resulting in the installation of an executable and hidden folder, followed by the encryption of files and data.

Malware Composition

Basic Static Analysis

• INetSim is a software suite that simulates common internet services (like HTTP, FTP, DNS) to safely analyze the behavior of malware in a controlled environment.
• REMnux is a Linux-based distribution specifically designed for reverse-engineering and analyzing malware, offering a collection of tools for tasks such as static and dynamic analysis, memory forensics, and network monitoring.
• Note: we need to turn off INetSim before detonating. WannaCry will not detonate if INetSim is running, I’ll explain why later

1. changing the name to Ransomware.wannacry.exe and run as administrator we will get this screen, that observed symptoms of infection from initial detonation

1. we have @WanaDecryptor@.exe that appears on the Desktop, as the same executable that is responsible for the RED message we have on the screen
2. The Desktop Background Picture
3. we have files that got the WNCRY extension
4. and cosmo.jpeg have been corrupted we can’t open it
2. going back to the clean snapshot for encryption that was made by that ransomware executable and we will begin the analysis if that executable
3. checking the hash values of that executable using md5sum and sha256sum,then check for any related information from threat intelligence platforms as VirusTotal


1. as we see the executable is a well known ransomware, and it is categorized as trojan and a worm
1. A Trojan is a type of malware disguised as legitimate software, tricking users into installing it, which then allows unauthorized access or control over the infected system.
2. A worm is a self-replicating malware that spreads across networks without requiring user interaction, exploiting vulnerabilities to propagate and potentially cause widespread damage.
2. so we need to take that as an important note for later deeper analysis
4. checking any suspicious strings using floss.exe that are allocated inside that executable, to make some hypotheses and have more general information about that executable
• floss.exe: uses advanced static analysis techniques to automatically extract and de-obfuscate all strings from malware binaries.

5. inspect the results we have inside that .txt file
1. we have !This program cannot be run in DOS mode. that was found multiple times



1. meaning that this executable have other packed executables in it
2. Multiple Windows API calls

1. we can raise a hypotheses that the Windows API that are under these !This program cannot be run in DOS mode. are related to the packed executables inside the main executable that we have
3. we have an executable name mssecsvc.exe

1. The mssecsvc.exe file is usually associated with WannaCry malware, but it disguises itself as Microsoft Security Center (2.0) Service, also known as wscsvc (Windows Security Center Service). [1]
4. we have encoded stings

5. we have PATH token replacement using %s and a URL indicator

1. http[:]//www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
6. we have icacls command executed and used cmd.exe

1. icacls is a command-line utility in Windows used to display or modify access control lists (ACLs) for files and directories. It can set file permissions, manage ownership, and configure inheritance.
2. The command icacls . /grant Everyone:F /T /C /Q performs the following actions:
1. .: Targets the current directory and all its contents.
2. /grant Everyone:F: Grants full control (F) permissions to the Everyone group, meaning all users will have complete access to the directory and its contents.
3. /T: Applies the permission changes to all files and subdirectories within the target directory recursively.
4. /C: Continues the operation even if errors occur. This is useful for bypassing any access-denied errors.
5. /Q: Suppresses success messages, making the command run quietly without displaying output for successful operations.
6. we need to inspect the import address table for the WannaCry executable using PEstudio
• PeStudio is a Malware analysis tool. It is used for statically analyzing malware samples, checking indicatorslibrariesimports and more
• checking the indicators section

1. we have three executables packed inside that executable, related to the results we saw in floss.exe for the DOS header
2. identifies the URL pattern same results we saw in floss.exe
3. we have file extensions as Wiper that where added to each file after they are encrypted
• checking the library section

1. we can identify the used Libraries that are responsible for opening and using a socket with internet usage also
• checking the imports section


1. we have couple Windows API that are related cryptography, same as the malware that is encrypting our files and data
2. we have couple Windows API related to internet use and socket opening, we can arias a hypotheses that this executable may connect back to a C2 server or IP
3. creating a services that may be for persistence technique

Basic Dynamic Analysis

1. turning on INetSim and running the Ransomware.wannacry.exe as administrator then check the Wireshark results inside the REMnux machine we have

1. after the TCP handshake we have a 200 OK http to this weird URL http[:]//www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com that we saw in the floss.exe results and PEstudio
2. the INetSim respond back as 200 OK to the Ransomware.wannacry.exe but the Ransomware.wannacry.exe didn’t execute as intended for the URL callback that it is attempting

3. if we kill the INetSim process and made an ipconfig /flushdns in FlareVm and re-execute Ransomware.wannacry.exe, what will do her that the Ransomware.wannacry.exe will fail to connect back to the http[:]//www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com then will encrypt our files and data , so we need to have INetSim turn off to dentate the Ransomware.wannacry.exe

1. what we need to do is that we need to capture these files connection that was made by the Ransomware.wannacry.exe so we will use tcpview.exe, and re run the Ransomware.wannacry.exe
2. using tcpview.exe, and re run the Ransomware.wannacry.exe
• Tcpview.exe is a Windows utility that provides a detailed overview of all active TCP and UDP network connections on a system, allowing users to monitor and manage these connections in real-time.

• we have a whole traffic that is going to multiple IP address, and these IP address aren’t reached by
• also it’s having the worm behavior as it’s trying to replicate it self to these IP address throw the network using the port 455 for smb
3. another process that spawns is taskhsvc.exe

1. this process is in listening mode on port 9050 and it’s listing to all interfaces on port 9050
2. checking online blogs related to taskhsvc.exe: WCry installs the Tor network anonymity software on the infected system in the TaskData folder within the malware’s working directory. The local Tor server is renamed and executed as taskhsvc.exe. Tor establishes a SOCKS5 proxy server on the loopback interface (127.0.0.1) that listens on TCP port 9050. WCry connects to this proxy and attempts to contact the configured C2 hidden services [2]
4. truing on procmon filtering on Ransomware.wannacry.exe
• Procmon (Process Monitor) is a powerful Windows tool that provides real-time monitoring of file system, registry, and process/thread activity, helping users diagnose and troubleshoot system issues or analyze the behavior of applications.

5. running Ransomware.wannacry.exe

6. we have the new executable created called taskhsvc.exe

7. checking the process tree

1. we see that taskhsvc.exe is unpacked from Ransomware.wannacry.exe and run with an argument /i
8. checking any related information form taskhsvc.exe as checking the PPID and making a filter on it


1. multiple registry keys are accessed and files where created
9. we need to check on file creation from taskhsvc.exe and making a filter on it


1. as we se we have a new directory that have been created
10. going to the new created directory

1. Note: you may see this directory name changes throw the report that’s because it’s a random name generated and it differ every time I re-run the Ransomware.wannacry.exe and go back to the clean snapshot

2. this is installed as a hidden directory, so taskhsvc.exe is a second stage of the Ransomware.wannacry.exe that is installing it self to a hidden directory qqilzrsxsgp500 with bunch of files and other data resources

Advanced Static Analysis

• Cutter is a free and open-source reverse engineering platform powered by rizin. It aims at being an advanced and customizable reverse engineering platform while keeping the user experience in mind.

1. opening the Ransomware.wannacry.exe in Cutter and check the main function with a Graph mode view

2. as we see the esi register is holding the URL that we saw earlier
• ESI and EDI → are used in string instructions as source and destination to save locations

3. after that we have an API call to InternetOpenUrlA that is responsible to  parses the URL string, establishes a connection to the server, and prepares to download the data identified by the URL

1. the contents of eax is moved to edi and then pushed to the stack
2. the esi contents that is the URL is pushed to the stack in order to be used with InternetOpenUrlA
4. checking InternetOpenUrlA function parameters [3]
Copy

HINTERNET InternetOpenUrlA(
  [in] HINTERNET hInternet,
  [in] LPCSTR    lpszUrl,
  [in] LPCSTR    lpszHeaders,
  [in] DWORD     dwHeadersLength,
  [in] DWORD     dwFlags,
  [in] DWORD_PTR dwContext
); 

5. checking the DE compiler results

1. the results of the InternetOpenUrlA is loaded back to the eax, and then loaded to the edi register, and the returned results of the InternetOpenUrlA is Boolean as 0 or 1
2. then the results are loaded to eax then edi, we have an if function that checks the results based on the edi value
6. checking the test instruction

1. the test instruction is making a Bitwise AND on it self edi,edi with a returned value to True if they are the equal as zero then the flag will be one and jump to the specified location
• Explaining test operation as an example: test will put a flag in the memory register ( different flags have different results value ) an check if ended result of eax,eax = zero = True → idea if the results from the upper API where succeeded eax will equal to zero and making Bitwise AND on it self eax,eax with a returned value to True
2. if it reaches to that URL then the executable will clean itself and exit it’s main execution
3. but if not it will jump to this function fcn.00408090 that is responsible of that encryption that we saw

Advanced Dynamic Analysis

•  x32dbg.exe is a legitimate executable of a debugging software which, when executed, imports x32bridge

1. going to to x32dbg to make the program execute even if it get results from that URL
• we need to run INetSim  on REMnux and execute Ransomware.wannacry.exe
• then load the Ransomware.wannacry.exe in x32dbg
• make a breakpoint on http[:]//www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com


2. going back and hit F9 to arrive to the breaking point we made

3. going to the test instruction and check the results of edi as the INetSim is running then it will have some values


1. so here the value of the ZF flag is set to zero as the results of the edi where false having reach out to the URL , and the JNE meaning that jump if the ZF flag was zero that means we will continue without going to the intended encryption function
4. changing the ZF flag to one that means even if the INetSim was running then we will go to the main encryption function

5. executing F8 till we hit the main encryption function we will have the ransomware encrypting files and data and running even if the INetSim was running

Indicators of Compromise

• Indicators of Compromise (IOCs) are signs that a system has been breached, such as unusual network traffic, file hashes, IP addresses, or domain names associated with known malicious activity. They help detect and respond to potential security incidents.

Network Indicators

• connection to http[:]//www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

• Whole traffic that is going to multiple IP address, and these IP address aren’t reached by

• taskhsvc.exe process is in listening mode on port 9050 and it’s listing to all interfaces on port 9050

Host-based Indicators

• When executing the executable we have @WanaDecryptor@.exe that appears on the Desktop, as the same executable that is responsible for the RED message we have on the screen, with files that have WNCRY extension

• New executable created called taskhsvc.exe

• Multiple registry keys are accessed and files where created

• New hidden directory that have been created from taskhsvc.exe containing files and binaries

Rules & Signatures

• YARA rules are malware detection patterns that are fully customizable to identify targeted attacks and security threats specific to your environment.

1. reuse the floss.exe to extract strings that will be used inside the YARA rule

rule wannacry { 
    meta:  
        report_info = "last task in PMAT course"
        author = "Sameer Fakhoury"
        last_update = "2024-08-24"
    
    strings:
        $s1 = "CryptAcquireContextA"
        $s2 = "CryptGenRandom"
        $s3 = "StartServiceA"
        $s4 = "CloseServiceHandle"
        $s5 = "CreateServiceA"
        $s6 = "OpenSCManagerA"
        $s7 = "SetServiceStatus"
        $s8 = "ChangeServiceConfig2A"
        $s9 = "RegisterServiceCtrlHandlerA"
        $s10 = "StartServiceCtrlDispatcherA"
        $s11 = "OpenServiceA"
        $s12 = "ADVAPI32.dll"
        $s13 = "WS2_32.dll"
        $s14 = "??1_Lockit@std@@QAE@XZ"
        $s15 = "??0_Lockit@std@@QAE@XZ"
        $dos_mode_string = "!This program cannot be run in DOS mode."
        $mssecsvc = "mssecsvc.exe"
        $tasksche = "tasksche.exe"
        $url = "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com"
    
    condition:
        $url or (
            (7 of ($s*))
            and $dos_mode_string
            and $mssecsvc
            and $tasksche
        )
}

2. execute the YARA rule on the ransomware executable

Appendices

• [1]: https://windowsreport.com/mssecsvc-exe/#:~:text=The mssecsvc.exe file is,PC as soon as possible
• [2]: Secureworks WCry (WannaCry) Ransomware Analysis
• [3]: QuinnRadich InternetOpenUrlA function (wininet.h) - Win32 apps