Thursday, November 9, 2017

During Infection. ================= When WannaCry is first run, the process take a fair bit of time (about a minute on my VM) before all files are encrypted. Firstly, it creates a bunch of files in its initial directory: b.wnry = background image c.wnry = tor browser link f.wnry = list of files (“free” list?) r.wnry = “your files are encrypted” text s.wnry = zip file of tor thingy t.wnry = looks like zipped file u.wnry = contains RSA2 and “mail to” stuff /msg folder and fills this with different files containing shitty message in different languages.

t also creates the following which are crypto key related: 00000000.eky 00000000.pky 00000000.res And the following that I couldn’t be bothered about investigating: taskdl.exe taskse.exe @WanaDecryptor@.exe

@echo off echo SET ow = WScript.CreateObject(“WScript.Shell”)> m.vbs echo SET om = ow.CreateShortcut(“%s%s”)>> m.vbs echo om.TargetPath = “%s%s”>> m.vbs echo om.Save>> m.vbs cscript.exe //nologo m.vbs del m.vbs

The following registry entry is created: HKEY_LOCAL_MACHINE\SOFTWARE\WanaCrypt0r but the key I cannot remember. Either sd or md or wd or something. The following registry entry is read too: [insert key here – I can’t remember it – it is the RSA provider key held at “SOFTWARE/Microsoft/Crypto provider” or something] …or just look at this… Stack SS:[0012F7B8]=001546A0, (ASCII “SOFTWARE\Microsoft\Cryptography\Defaults\Provider\”) EDI=00154730, (ASCII “Microsoft Enhanced RSA and AES Cryptographic Provider (Prototype)”)

Also, the computer name and also user accounts (S-1-5-etc.) are read and stored. 0012F39C 0012F3A8 šó . UNICODE “S-1-5-XX-XXXXXXXXX-XXXXXXXXX-XXXXXXXXXX-XXX” (no, the X’s weren’t on the original pasting)

So, once these files have been created, the following steps are run for each ‘victim’ file it wants to encrypt:

  • Get size of file.ext (in hex)

  • Get times of file.ext (creation,access,modify)

  • Reads 8 bytes from file

  • Creates file.ext.WNCRYT

  • Writes 8 bytes containing “WANACRY!” to file.ext.WNCRYT

  • Writes 4 bytes containing hex “00 01 00 00” to file.ext.WNCRYT (this didn’t change in my tests)


0012E008 00 01 00 00 . .
  • Writes 0x100 (256) bytes to file.ext.WNCRYT (obviously, this changes)

  • 0012DE00 44 12 4B E6 3E C0 E6 F2 C9 14 4A 82 86 2E 8E B4 D Kæ>ÀæòÉ J‚†.ŽŽ 0012DE10 84 0B 71 B2 14 87 F2 36 D9 B5 79 F3 9F 0E 64 FC „ q² ‡ò6ÙµyóŸ dü 0012DE20 C6 A5 28 DA 34 75 91 10 64 78 B5 9F 22 3A C3 02 Æ¥(Ú4u‘ dxµŸ”:à0012DE30 1E B7 96 27 56 C9 EA 94 B6 06 3C 1D 57 5D 81 8B ·–’VÉꔶ < W]‹ 0012DE40 31 59 0B D7 5C 03 FE B7 73 C7 BE 4F 62 EB C9 E9 1Y ×\ þ·sÇŸObëÉé 0012DE50 E1 19 7B 1E 4F A0 09 9D 8C B6 4B 2B BB 7B 93 6F á { O .Œ¶K+»{“o 0012DE60 DF FC 4F 68 FA 70 76 CE 40 13 6D FC 0B EB 81 1F ßüOhúpvÎ@ mü ë 0012DE70 6D 0E EB 18 B9 7C 57 98 DE F9 25 BD 5B D3 C5 AA m ë ¹|W˜Þù%œ[ÓŪ 0012DE80 5A 6F A8 A4 C8 28 A3 9F 02 FF EA 0B 1E 05 6A 10 Zoš€È(£Ÿ ÿê j 0012DE90 88 58 72 42 2E C5 3C 28 B0 0C BD 49 7F 4D 16 23 ˆXrB.Å<(°.œIM # 0012DEA0 91 21 7D 5F D1 10 D8 71 82 36 20 46 95 EB 59 6D ‘! }_Ñ Øq‚6 F•ëYm 0012DEB0 56 D1 82 1C 6A 22 E3 CB B1 E2 08 AF D3 E7 17 19 VÑ‚ j”ã˱⠯Óç 0012DEC0 43 8F 7F F1 74 FF E4 FC 47 62 74 A1 0D 93 9F 85 CñtÿäüGbt¡.“Ÿ… 0012DED0 E7 C7 FC 2C A5 33 70 33 A0 05 85 6B 7D 21 58 E1 çÇü,¥3p3 …k}!Xá 0012DEE0 E0 51 FC DC 46 53 E8 CE 7E FF 41 9D 02 30 07 8A àQüÜFSèÎ~ÿA 0 Š 0012DEF0 4D FB 31 1A 30 23 13 43 A5 39 18 7E AB A0 71 8E Mû1 0# C¥9 ~« qŽ
  • Writes 4 bytes to file.ext.WNCRYT
  • (guessing it was 04 00 00 00) or something, maybe a counter?
  • Writes 8 bytes (size of file as this matches original file count in hex) to file.ext.WNCRYT
  • 0012E034 13 00 00 00 00 00 00 00 …….
  • Reads 1048576 bytes from file.ext (guessing this is done in “blocks”, a bit like several encryption algorithms… 😉)
  • ***ENCRYPTION OCCURS*** follow:
  • 10002055 E8 E6480000 CALL 10006940
  • ***** AFTER ENCRYPTION *****
  • Writes 32 bytes to file.ext.WNCRYT
  • 01570020 75 6F A7 CE 5A BD 5F 84 38 47 39 AF 7C 4B 70 68 uo§ÎZœ_„8G9¯|Kph 01570030 79 E9 63 18 3C 6B CC 5E 83 E3 12 3A B2 A4 01 09 yéc
  • Sets the file time of file.ext.WNCRYT to what was stored earlier

  • Closes file handle for file.ext

  • Changes extension from file.ext.WNCRYT to file.ext.WNCRY
  • Sets file attributes of file.ext.WNCRY to “NORMAL”

  • Reopens file.ext

  • Gets file size of file.ext

  • Uses CryptGenRandom with the below to acquire data the size of file.
  • 0016DD10 46 FB 00 68 17 F0 00 68 B1 AF 00 68 86 D0 00 68 Fû.h ð.h±¯.h†Ð.h 0016DD20 60 94 00 68 38 96 00 68 22 9A 00 68 24 BA 00 68 `”.h8–.h”š.h$º.h 0016DD30 8A BF 00 68 8E 6C 00 68 00 71 00 68 BA 74 00 68 Š¿.hŽl.h.q.hºt.h 0016DD40 56 7E 00 68 A0 7F 00 68 D1 82 00 68 22 DA 00 68 V~.h .hÑ‚.h”Ú.h 0016DD50 0A DF 00 68 A7 D7 00 68 62 95 00 68 6D 9E 00 68 .ß.h§×.hb•.hmž.h 0016DD60 9C 9F 00 68 6F A5 00 68 91 C8 00 68 00 00 00 00 œŸ.ho¥.h‘È.h…. 0016DD70 AE AA 00 68 2E 85 00 68 00 00 00 00 00 00 00 68 ®ª.h.….h…….h 0016DD80 4C A2 4F E3 11 11 11 11 01 00 00 00 01 00 00 00 L¢Oã … … 0016DD90 AB AB AB AB AB AB AB AB 00 00 00 00 00 00 00 00 ««««««««…….. 0016DDA0 0C 00 13 00 CF 07 1E 00 .. .Ï . ….which, in this example, returns 0x13 (19) bytes: 000EE324 F3 4C 12 35 C5 5F E3 41 30 8A B5 F5 E0 2A FB C4 óL 5Å_ãA0Šµõà*ûÄ 000EE334 63 F3 DF cóß
  • Writes “random” data to file.ext
  • Flushes file buffer of file.ext

  • Set file pointer to 0 null
  • Writes “random” data to file (again)? – makes no difference to file or timestamp.

  • Close file handle.
  • So, in a nutshell it: copies an encrypted version of the file encapsulated with its own details of the file then overwites the original file with random data before deleting it. Sneaky bastards trying to get round those wanting to get back the file with forensic software such as Foremost and Scalpel.
    Which files are affected? ========================== WannaCry only targets files that have the following extensions:
    .der .pfx .key .crt .csr .p12 .pem .odt .ott .sxw .stw .uot .3ds .max .3dm .ods .ots .sxc .stc .dif .slk .wb2 .odp .otp .sxd .std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .sql .accdb .mdb .db .dbf .odb .frm .myd .myi .ibd .mdf .ldf .sln .suo .cs .c .cpp .pas .h .asm .js .cmd .bat .ps1 .vbs .vb .pl .dip .dch .sch .brd .jsp .php .asp .rb .java .jar .class .sh .mp3 .wav .swf .fla .wmv .mpg .vob .mpeg .asf .avi .mov .mp4 .3gp .mkv .3g2 .flv .wma .mid .m3u .m4u .djvu .svg .ai .psd .nef .tiff .tif .cgm .raw .gif .png .bmp .jpg .jpeg .vcd .iso .backup .zip .rar .7z .gz .tgz .tar .bak .tbk .bz2 .PAQ .ARC .aes .gpg .vmx .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .snt .onetoc2 .dwg .pdf .wk1 .wks .123 .rtf .csv .txt .vsdx .vsd .edb .eml .msg .ost .pst .potm .potx .ppam .ppsx .ppsm .pps .pot .pptm .pptx .ppt .xltm .xltx .xlc .xlm .xlt .xlw .xlsb .xlsm .xlsx .xls .dotx .dotm .dot .docm .docb .docx .doc And that’s about it.

No comments: