· web viewrecommendation is to submit your final project in pdf and clearly mark your answers to...
TRANSCRIPT
CS 495/595 Project: Analysis of Wannacry Ransomware (Fall 19’)Due Date: Dec. 8th 23:59:59 EST
Old Dominion University, Norfolk, VA 23529
Instructor: Dr. Cong Wang
***By opening this document, you acknowledge the following terms. Wannacry will cause file lost, system crash if handled inappropriately. Please make sure:
1) You have updated your host Windows 7/8/10 into the most updated version.
2) You took snapshot of the VM.
3) The malware is only downloaded inside the VM and only placed under the VM but NOT on your local disks.
4) Do not ever store the malware file in your local drive or attempt to spread/execute this malware on your local computer or in the local network/campus/lab.
5) You will be responsible for any file lost/system crash if you accidently run the program on your local computer.
6) The malware sample provided is only for study purpose in this course but MUST NOT be used or distributed elsewhere for any other purposes.
7) Disable the VM network after you have downloaded the malware. ***
After you read these instructions and agree to all the terms above, please:
Printed Name: Sign here: Date:
Unzip password is: bWFsd2FyZQ==
***The password is encoded by a method we learned in class. You will need to decode it first***
MUST READ BEFORE YOU PROCEED:
Grading scheme: In this project, you will be guided through the process of analyzing wannacry. But I will not provide as much detail as I did during the homework. So whenever you have a question, you will be on your own to figure out. You can try your best and the answers will be evaluated towards the final grade of the project. Quality and presentation of the project is also important. Poor presentation (formatting, typos, figures with low resolutions, etc) would also reduce your project grade by at least 30%. Recommendation is to submit your final project in PDF and clearly mark your answers to each question.
To enjoy all the features from IDAPro (except Python), let us use 6.8 Version, which should be located here:
**The install_pass.txt contains the installation password you will use. There will be a warning related to python26.dll once you start IDAPro 6.8, just ignore it.**
How to Disable the VM network, just click here on the right corner of the VM:
Or set the Host-only Adapter.
1. Background of Wannacry (answer in less than 1 page) (5 pts)
1.1 Describe what Wannacry will do to your computer and its impact globally. 1.2 What types of operating systems will be affected. What exploit does Wannacry use?
What is Microsoft and NSA’s response to this incident? 1.3 Briefly describe what bitcoin is, why it is untraceable and how it links to the
underground economy. 1.4 Discuss when ransomware combines with bitcoin. Is there any way to trace it?
2. Analysis – (Open wcry.warning.zzz with IDAPro) (5 pts)2.1 You can see I purposely changed the name into wcry.warning.zzz to make sure you do
not accidently double click and make it run. Look over the import of the program. What interesting imports can you find? (Hints: file, directory, registry, service, encryption) Briefly explain what those functions do by referencing the MSDN – one sentence for each function.
2.2 Open the file in PEiD. Is it packed? Why? (Take a screenshot and explain) Use Krypt ANAlyzer(KANAL) in PEiD to see the crypto used. Can you guess what kind of crypto algorithm is used and explain? (e.g. AES, RC4, etc.) What crypto functions are used? Explain their purposes via MSDN.
2.3 From the imports, our guess is that the program is using service. Let us jump to sub_401F5D. We see:
We see a hard-code .exe file name, which could be a duplicate of the ransomware in the
system. Then click into sub_401CE8, only look at the function calls, what can you conclude sub_401CE8 is doing? (Hints: after you made your conclusion, let us rename sub_401CE8 into startservice) In sub_401CE8, can you find the service name? In the
malware analysis book, it is usually hard-coded; is it the same here? If you cannot, just answer you cannot find such name, but you need to take a screenshot to prove where such service name is set even it is empty at this point.
2.4 Then we start to see an if code construct here:
Click into sub_401EFF, can you find the mutex name created? Explain how you trace it and why you think this is a mutex name? (Hints: start from OpenMutexA, trace lpname->eax->…)
***Note the “push offset aSD” and the sprint there which appending some constant to the mutex name” – so the correct mutex name should be XXXXXXXXXX0 or XXXXXXXXX1, ….., etc.
You will need to find both this constant and the mutex name. Note that Wannacry author is smart here since if the anti-virus program only blocks the mutex name XXXXXXXX, it would still start since the actual mutex name has a constant (which could be either hardcoded or dynamic)***
Rename sub_401EFF into openmutex. Briefly explain why mutex is also used by WannaCry according we learned from the lecture.
3. [5 pts]3.1 Now let us go to WinMain(x,x,x,x), we see a “call sub_401225” , go into this function.
We begin to see a function call (malware signature) and also some random number generations (e.g. seed). Now we are going to use some advanced features from IDAPro by calling the Local Win32 debugger. Select Debugger->Local Win32 debugger. Set a breakpoint before call sub_401225. Then Run. It should perform like what we did in OllyDbg and you can also use F7 and F8.
Go into sub_401225 and press ‘F5’ to change into Pseudocode. From the pseudocode, it would be much easier to analyze. Answer the following questions: what is the random seed used? Is this unique for different computers and why?
Set a breakpoint at 0x0040202F, see EAX in the general register, it should have the address: 0x0040F8AC.
Find the Unique Identifier generated by Wannacry, an example that shows on my VM is:
Attach a screenshot of what you have found.
3.2 Then we are facing a weird branch here.
Our hunch is that it is a SECRET command line start-up, just like what we have seen in the course – only disassembling helps us gain such insight. It seems the program is comparing the argument with 2. If not, it will take the left branch; if yes, it will take the right branch. Confirm which branch the Program will take by placing your mouse over “jnz short loc_40208E” and “Run to Cursor”. You will see IDAPro generating a Green Arrow that indicates which branch to take. Attach a screenshot of this. (the Green Arrow is in the Debugger of IDAPro)
3.3 Let us put the proper argument as the parameter as the image attached (I purposely made a mistake in the screenshot ). Debugger->Process Options
Then do that again. We should go into the right branch. Then F8 all the way until:
See inside sub_401B5F. We can see some PathName such as C:\ProgramData, etc. Our guess is that it creates something inside these folders. Now let us F8 through sub_401B5F. Then go to C:\Intel or ProgramData, if the folder exists. You will see a new folder has been created and the folder name should be the unique identifier you found in Question 3. Take a screenshot of such folder you found with the malicious file in it. (***Funny thing is if both Intel/ProgramData do not exist, the program will create Intel folder; if you create ProgramData yourself, Intel folder will not be created***)
***The folder inside ProgramData or Intel may be hidden, change to the folder setting above***
[Bonus +1] Find in Assembly code, which instructions set the folder to be hidden. Take screenshot and explain.
3.4 Then let us stop the debugging process and continue static analysis:
call sub_401F5D. Let us rename it as “StartWannacry”. If we run this function call, the VM will be infected. Don’t worry I hope you had Snapshot the VM. Let us run to cursor at “.text:0040207F jz short loc_40208E”-> a line before StartWannacry. Then we will see a file called “tasksche.exe” dropped inside the folder created previously. Take a screenshot of the file and open this file using IDAPro. What is the purpose of this file? Is this similar to the original Wannacry Program?
4. [5 pts]
4.1 Let’s proceed our analysis in the static analysis. ***If your VM is unfortunately infected by WannaCry, please restore into the previous snapshot***.
After “SetCurrentDirectoryA”, we see a function call “sub_4010FD”. Attach is a snapshot of its pseudocode,
What does this “sub_4010FD” function do? Where is the (key entry) created? Confirm that with Regshot (See a sample below). (Hint: for the second snapshot in RegShot, you can run to .text:004020C8, which is one instruction after call sub_4010FD and compare)
Then go to registry to find Wannacry. Take a screenshot. It should be under HKEY_LOCAL_MACHINE\....\....
4.2 Now we know the purpose of sub_4010FD, let us go on.
We see “WNcry@2ol7” and this string is passed to “sub_401DAB”. Examine the function sub_401DAB. What does this function do ?
4.3 Our guess is that WNcry@2ol7 is a hard-coded password used to unzip the resource. Let us confirm this. Use ResourceHacker in Tools folder to open wannacry and save as “wcry.zip”.
Unzip this; you will probably receive a warning that says your password is incorrect. But the resource will be released. Under the folder wcry. Take a screenshot of the file inside /wcry folder. There should be two .exe files with bunch of .wnry files and another msg folder. Open that msg folder. What do you see?
[Bonus +1 pts] Explain why the malware author uses encrypted zip for the resource sections.
4.4 Let us move on.
Click into sub_401E9E. We see bunch of hard-coded hash string and a rand number 3. Those suspicious hashes are the attacker’s Bitcoin address and the program will randomly choose one Bitcoin address among the 3. Use www.blockchain.com or other blockchain websites to trace the number of transactions and the money received by those Bitcoin addresses, what are the final balances. Sum up all the money received by those 3 addresses and convert the bitcoin into USD using Google (assuming the malware authors accumulated all the bitcoins and sold them around Dec. 2017). You will see how much money the attacker has made by spreading wannacry globally – the crazy thing is there are actually people paying the ransom
Show how you reach the final amount of money. Write one or two sentences to describe what you think. (Your thoughts will not be evaluated towards the final score) For example, you may answer: I think it is a quick way of making money -> also answer a little bit about the legal, social impact.
[Bonus +1]: We see a command line right before sub_401064:
Explain what this command does.
4.5 Then we click into sub_401064. What does this function do?
Now, let us retrace a bit, we have renamed “sub_401F5D” into start service and we know the malware wants to start itself as a service. By observing the logic flow, we see this sub_401064 is running in parallel with “start service”. Explain what purpose the malware wants to achieve here.
4.6 After sub_401064, we see another function sub_40170A. Use the cross-reference, we can see it calls another function
Click into sub_401A45. It becomes interesting. From the keywords, we know that it deals with cryptography. Explain in one sentence what this function does. (Hints: generate key? Encrypt files? Decrypt files? Share keys? )
4.7 Then we continue to sub_4012FD. Inside this function, we have another function that calls sub_4017DD. Examine sub_4017DD, we found a function called: InitializeCriticalSection. Research the definition of Critical Section and explain briefly. Why the malware wants to initialize critical section at this point?
5. [5 pts]
Next we see a filename t.wnry, this file should be extracted before. It should be storing the encryption keys since the memory section in the previous question shows the keys are not hard-coded (of course). Then click into this: sub_4014A6. This one is very hard to analyze, all we can see is it is Creating a file and use WANACRY! (notice the typo of WANNACRY, need one more N, which means the author may not be a native English speaker; or he might be doing this purposely) to locate the head of t.wcry. The rest are all memory operations that are hard to understand.
Go back and see the xref of sub_4014A6, we found that:
This sub_403A77 function has many subroutines and deserves further investigation.
Our guess is this function does the decryption of a memory section. We use Debugger to confirm this. Run to selection at “move ecx, edi”. The EAX should have the length of decryption. Take the screenshot of EAX in the general register window and denote this length by variable $L$. After sub_403A77, EBX should be the starting address of the decrypted data in memory. Denote this address by variable $ADDR$. Take a screenshot of the EBX to see its value.
Let us dump the memory to a dump.dll file under C:\. Press Shift + F2 and paste the following code into the script body. Remember to change the variable of address and size according to what you have found above. --------------------------------------------------------------------auto file, fname, i, address, size, x;address = $ADDR$;size = $L$;fname = "C:\\dump.dll";file = fopen(fname, "wb");for (i=0; i<size; i++, address++){x = DbgByte(address);fputc(x, file);
}fclose(file);
The correct dll will be around 64 KB. Load the .dll file into IDAPro, you should be able to do that without error. Take a screenshot of the DllEntryPoint to prove you are successful.
[Bonus Points Max. 3 pts]: “Freestyle” Analysis of Wannacry. Pick some parts that you think is interesting and use the knowledge studied in class to analyze it. Interesting parts including crypto, payment processing, Tor, etc. Your answers will be valued based on the novelty and importance. It has to be technical and YOUR OWN ANALYSIS.