Shulou(Shulou.com)06/01 Report--

Reverse Analysis of parent Master Program of Wannacry blackmail Software

0 × 01 reverse analysis

All right, let's get to the point. I downloaded the Wannacry sample from here. I won't say much about some boring compilation and analysis details, and we try to understand the whole process as quickly as possible.

First of all, we will calculate an identity through a function, and we will name this function getDisplayName. The essence is to get the computer name through GetComputerNameW and then take a random number to calculate a unique corresponding identity (we name it DisplayName), which will be used in the later execution process.

The next few things will be done, and any item that has not been successfully executed will quit.

Check whether there are two command line arguments and whether there is an argument of / I

Check and try to create the previously calculated DisplayName-identified directory under the ProgramData directory or the Intel directory or the Temp system temporary directory

Set this working directory to 6, that is, 0 × 2 and 0 × 4 (FILE_ATTRIBUTE_HIDDEN and FILE_ATTRIBUTE_SYSTEM) hiding and system

Create a copy of yourself and name it tasksche.exe

Start tasksche.exe as a service first, or as a normal process if it fails (the entry point of the copy startup is different from that of the original file startup, thus achieving different logic)

Judge whether the startup is successful by the mutex Global\\ MsWinZonesCacheCounterMutexA

The process will not continue until the above items have been successfully completed, otherwise it will be terminated.

Create the registry key HKEY_LOCAL_MACHINE\ Software\ WanaCrypt0r\ wd to write the current path value

Release the PE files taskdl.exe and taskse.exe from the resource. In order to avoid killing, the PE file in the resource is encrypted and will be decrypted during the release process, which is tedious.

A parameter such as key will be passed to the released resource, and the parameter value is WNcry@2ol7.

Then read the c.wnry file in the current directory

If the c.wnry file is read, the 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 will be encrypted by a random number and written back to c.wnry, and this string of numbers is the bitcoin address of * *, which means that the encrypted Bitcoin address is saved in the c.wnry file.

The above picture shows the encryption algorithm of the c.wnry file. This encryption is very simple and only takes two sentences to implement.

These three Bitcoin addresses are used in the automation tools of the temporary solution below.

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Execute these two orders

Attrib + h.

Icacls. / grant Everyone:F / T / C / Q

The attrib command sets the DisplayName working directory to hidden

The icacls command opens the user rights of the directory

The next step is to dynamically obtain the required API address

The first is to get the API related to the files in kernel32.dll

Then get the API related to encryption and decryption in advapi32.dll

CSP uses the system default or RSA and AES.

Encrypt files to WANACRY! For the feature head

The encrypted files involve nearly 200 file types, such as documents, text, virtual machines, compression packages, images, pictures, videos, music, source code, scripts, databases, emails, certificates, etc., covering almost all aspects, but there are no BT seed files. It seems that there are still some things to do and some things not to do.

0x02 interim solution Automation tool

The idea of a temporary solution circulated on the Internet is:

Obtain the transaction record of the collection address

Send the record information of others' payment of ransom (transaction hash value) to * * by pretending to be paid by yourself (quite a thief ^ _ ^)

Transaction records can be found through https://btc.com/, but we need to have a * collection address, which we have analyzed.

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

There is an automated script for python on the Internet, which is optimized here, and there are a lot of people who are not engaged in IT and don't know anything about python, so they do a stupid exe program to get transaction records automatically.

Tool link: http://pan.baidu.com/s/1hsbwQaC password: p263

The end of 0 × 03

Since the afternoon has been sitting in front of the computer has not been up, analysis, code, writing tools, in a flash now is in the middle of the night, can not afford to do this ah. I can't write any more. I'll have a rest today. But you can also guess what else needs to be done, that is, sweep the port, find the one with the open port 445 SMBv1, and use the NSA boss's Eternalblue Doublepulsar to achieve worm propagation.

Finally, let's share the tools of the culprit:

Https://github.com/x0rz/EQGRP_Lost_in_Translation

Https://github.com/misterch0c/shadowbroker

Is a tool (no source code), using a python*** framework Fuzzbunch referred to as fb, how to use this framework, you can see here http://www.freebuf.com/articles/system/133853.html

Microsoft patch information: https://blogs.technet.microsoft.com/msrc/2017/04/14/protecting-customers-and-evaluating-risk/

Article address: http://www.freebuf.com/vuls/134602.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.