INTRODUCTION

Definition of terms

Malware, or malicious software, is any program or file intentionally harmful to a computer, network or server. Types of malware include computer viruses, worms, Trojan horses, spyware and ransomware. Ransomware is malware that employs encryption to hold a victim's information at ransom. A user or organization's critical data is encrypted so they cannot access files, databases, or applications. A ransom is then demanded to provide access. Wannacry is an excellent example of ransomware.

What is Wonnacry ransomware?

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) for older Windows systems. The WannaCry code can take advantage of any existing DoublePulsar infection (a back door), or install it itself.
A Kaspersky Lab study reported, however, that less than 0.1 per cent of the affected computers were running Windows XP, and that 98 per cent of the affected computers were running Windows 7. It also affected older versions of windows other than the two mentioned above before Microsoft provided its corresponding patches.
When executed, the WannaCry malware first checks the kill switch domain name; if it is not found, then the ransomware encrypts several types of documents and then appends the extension “.WNCRY” to them, then attempts to exploit the SMB vulnerability (CVE-2017-0144) to spread out to random computers on the Internet.
It arrives on the infected computer in the form of a dropper, a self-contained program that extracts the other application components embedded within itself.

Those components include:

• An application that encrypts and decrypts data
• Files containing encryption keys.
• A copy of Tor, used for command-and-control communications with the ransomware gang.

A few key events happen when your network has WannaCry installed on it:

• File creation specifically for encrypting files with WannaCry’s own document extension.
• Outbound traffic for SMBv1’s ports TCP 445 and 139.
• DNS queries for the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.
• Creates Windows registry entries like,
i. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = “\tasksche.exe”
ii. HKLM\SOFTWARE\WanaCrypt0r\wd = “”

Now, we'll be discussing in detail the artefacts, indicators of compromise, Tactics Techniques & Procedures, and Prevention & Mitigation recommendations.

IOCs

Basic properties

Below are the properties of the binary file used for analysis. MD5 : db349b97c37d22f5ea1d1841e3c89eb4
SHA-1 : e889544aff85ffaf8b0d0da705105dee7c97fe26
SHA-256 : 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
Vhash : 036046651d6570b8z201cpz31zd025z
Authentihash : 1646cad4fe91337460de0d4c2c5451095023e74bdab331642aaca12647b72f46
Imphash : 9ecee117164e0b870a53dd187cdd7174
Rich PE header hash: 09c088bc95bf88e6f4df4d6ca904611b
SSDEEP: 98304:wDqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3R:wDqPe1Cxcxk3ZAEUadzR8yc4gB
TLSH: T1B70633A8962DA1BCF0050DB044928557EBFB3C57B7BA5A2FCF4045660D43B6F9BC0E61
File type: Win32 EXE
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID: Win32 Executable MS Visual C++ (generic) (38.8%)
TrID: Microsoft Visual C++ compiled executable (generic) (20.5%)
TrID: Win64 Executable (generic) (13%)
TrID: Win32 Dynamic Link Library (generic) (8.1%)
TrID: Win16 NE executable (generic) (6.2%)
File size: 3.55 MB (3723264 bytes)
PEiD packer: Microsoft Visual C++
Cyren packer: rsrc

Names:

• wannacry
• lhdfrgui.exe
• 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe
• wcry.bin
• CB007530Sample.bin
• 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.bin

Adversaries:

Lazarus Group & TeleBots

Process and Services Actions

Below are the processes leveraged by the sample of wannacry used for analysis.

1316 - C:\DOCUME~1\Miller\LOCALS~1\Temp\db349b97c37d22f5ea1d1841e3c89enalysis_subject.exe
1428 - **.exe
1972 - C:\DOCUME~1\Miller\LOCALS~1\Temp\KKI2429s.exe 2092 - %SAMPLEPATH%\lhdfrgui.exe
2096 - %WINDIR%\explorer.exe
2344 - %windir%\System32\svchost.exe -k WerSvcGroup
2716 - %SAMPLEPATH%
2812 - %windir%\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683} 2880 - C:\Windows\System32\wuapihost.exe
304 - C:\DOCUME~1\Miller\LOCALS~1\Temp\db349b97c37d22f5ea1d1841e3c89enalysis_subject.exe
3064 - wmiadap.exe /F /T /R
456 - C:\DOCUME~1\Miller\LOCALS~1\Temp\u4Idx.exe
4608 - 'C:\Users\user\Desktop\software.exe'
612 - C:\Windows\System32\svchost.exe
656 - C:\DOCUME~1\Miller\LOCALS~1\Temp\db349b97c37d22f5ea1d1841e3c89enalysis_subject.exe
856 - %windir%\system32\wbem\wmiprvse.exe

Network documentation

HTTP Request

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com HTTP Method GET

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com HTTP Method GET Response code 200

Some Addresses

Domains: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com Hosts: 104.16.173.80,192.168.56.20

Tactics, Techniques & Procedures (TTPs)

According to MITRE ATT & CK, the following evaluation was provided in regard to the case study.

Tactic 1: Execution

Technique1.1: Scripting T1064

Procedure 1.1.1: Command shell drops VBS files
Procedure 1.1.2: Executes visual basic scripts
Procedure 1.1.3: Executes batch files

Tactic 2: Persistence

Technique 2.1: Registry Run Keys / Startup Folder T1547.001

Procedure 2.1.1: Stores files to the Windows startup directory

Technique 2.2: Services File Permissions Weakness T1574.010

Procedure 2.2.1: Uses cacls to modify the permissions of files

Tactic 3: Privilege Escalation

Technique 3.1: Process Injection T1055

Procedure 3.1.1: Creates a process in suspended mode (likely to inject code)
Procedure 3.1.2: Spawns processes

Technique 3.2: Registry Run Keys / Startup Folder T1547.001

Procedure 3.2.1: Stores files to the Windows startup directory

Technique 3.3: Services File Permissions Weakness T1574.010

Procedure 3.3.1: Uses cacls to modify the permissions of files
Procedure 3.3.2: Defence Evasion

Technique 3.4: Masquerading T1036

Procedure 3.4.1: Creates files inside the volume driver (system volume information)
Procedure 3.4.2: Drops PE files to the windows directory (C:\Windows) and starts it

Procedure 3.4.3: Drops files with a non-matching file extension (content does not match to file extension)
Procedure 3.4.4: Creates files inside the user directory
Procedure 3.4.5: Creates files inside the system directory
Procedure 3.4.6: Drops PE files to the windows directory (C:\Windows)

Technique 3.5: Process Injection T1055

Procedure 3.5.1: Creates a process in suspended mode (likely to inject code)
Procedure 3.5.2: Spawns processes

Technique 3.6: Scripting T1064

Procedure 3.6.1: Command shell drops VBS files
Procedure 3.6.2: Executes visual basic scripts
Procedure 3.6.3: Executes batch files

Technique 3.7: File Deletion T1070.004

Procedure 3.7.1: May delete shadow drive data (may be related to ransomware)

Technique 3.8: Modify Registry T1112

Procedure 3.8.1: Uses reg.exe to modify the Windows registry

Technique 3.9: Virtualization/Sandbox Evasion T1497

Procedure 3.9.1: May sleep (evasive loops) to hinder dynamic analysis

Technique 3.10: Hidden Files and Directories T1564.001

Procedure 3.10.1: Creates files in the recycle bin to hide itself

Technique 3.11: Services File Permissions Weakness T1574.010

Procedure 3.11.1: Uses cacls to modify the permissions of files

Tactic 4: Discovery

Technique 4.1: Application Window Discovery T1010

Procedure 4.1.1: Sample monitors Window changes (e.g. starting applications), analyze the sample with the simulation cookbook

Technique 4.2: Remote System Discovery T1018

Procedure 4.2.1: Reads the hosts file

Technique 4.3: Process Discovery T1057

Procedure 4.3.1: Queries a list of all running processes

Technique 4.4: System Information Discovery T1082

Procedure 4.4.1: Reads software policies
Procedure 4.4.2: Checks the free space of hard-drives
Procedure 4.4.3: Queries the volume information (name, serial number etc) of a device
Procedure 4.4.4: Queries the cryptographic machine GUID

Technique 4.5: File and Directory Discovery T1083

Procedure 4.5.1: Procedure 4.5.1Enumerates the file system
Procedure 4.5.2: Reads in files

Technique 4.6: Network Share Discovery T1135

Procedure 4.6.1: Connects to many different private IPs via SMB (likely to spread or exploit)

Technique 4.7: Virtualization/Sandbox Evasion T1497

Procedure 4.7.1: May sleep (evasive loops) to hinder dynamic analysis

Tactic 5: Command and Control

Technique 5.1: Application Layer Protocol T1071

Procedure 5.1.1: Performs DNS lookups
Procedure 5.1.2: Downloads files from webservers via HTTP
Procedure 5.1.3: Uses HTTPS

Technique 5.2: Multi-hop Proxy T1090.003

Procedure 5.2.1: Installs TOR (Internet Anonymizer)

Technique 5.3: Non-Application Layer Protocol T1095

Procedure 5.3.1: Performs DNS lookups
Procedure 5.3.2: Downloads files from webservers via HTTP

Technique 5.4: Ingress Tool Transfer T1105

Procedure 5.4.1: Tries to download HTTP data from a sinkhole host
Procedure 5.4.2: Downloads files from webservers via HTTP

Technique 5.5: Non-Standard Port T1571

Procedure 5.5.1: Detected TCP or UDP traffic on non-standard ports

Technique 5.6: Encrypted Channel T1573

Procedure 5.6.1: Uses HTTPS
Procedure 5.6.2: Uses HTTPS for network communication, use the SSL MITM Proxy cookbook for further analysis

Tactic 6: Impact

Technique 6.1: Data Encrypted for Impact T1486

Procedure 6.1.1: Modifies user documents (likely ransomware behaviour)

Technique 6.2: Inhibit System Recovery T1490

Procedure 6.2.1: Uses bcdedit to modify the Windows boot settings

Bibliography

• loggly.com/blog/identifying-wannacry-server..
• en.wikipedia.org/wiki/WannaCry_ransomware_a..
• csoonline.com/article/3227906/wannacry-expl..
• virustotal.com
• otx.alienvault.com/browse/global/indicators..