Advertisement
joemccray

WannaCry Ransomeware Analysis

May 24th, 2017
3,018
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.15 KB | None | 0 0
  1. ################################
  2. # Good references for WannaCry #
  3. ################################
  4.  
  5. References:
  6.  
  7. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
  8. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  9. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  10.  
  11.  
  12.  
  13. ############################
  14. # Download the Analysis VM #
  15. ############################
  16. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
  17. user: infosecaddicts
  18. pass: infosecaddicts
  19.  
  20.  
  21.  
  22. - Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
  23.  
  24.  
  25.  
  26.  
  27.  
  28.  
  29. ################
  30. # The Scenario #
  31. ################
  32. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
  33.  
  34.  
  35. The fastest thing you can do is perform static analysis.
  36.  
  37.  
  38.  
  39. ###################
  40. # Static Analysis #
  41. ###################
  42.  
  43. - After logging please open a terminal window and type the following commands:
  44.  
  45.  
  46. ---------------------------Type This-----------------------------------
  47. cd Desktop/
  48.  
  49. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
  50.  
  51. unzip wannacry.zip
  52. infected
  53.  
  54. file wannacry.exe
  55.  
  56. mv wannacry.exe malware.pdf
  57.  
  58. file malware.pdf
  59.  
  60. mv malware.pdf wannacry.exe
  61.  
  62. hexdump -n 2 -C wannacry.exe
  63.  
  64. ----------------------------------------------------------------------
  65.  
  66.  
  67. ***What is '4d 5a' or 'MZ'***
  68. Reference:
  69. http://www.garykessler.net/library/file_sigs.html
  70.  
  71.  
  72.  
  73.  
  74. ---------------------------Type This-----------------------------------
  75. objdump -x wannacry.exe
  76.  
  77. strings wannacry.exe
  78.  
  79. strings --all wannacry.exe | head -n 6
  80.  
  81. strings wannacry.exe | grep -i dll
  82.  
  83. strings wannacry.exe | grep -i library
  84.  
  85. strings wannacry.exe | grep -i reg
  86.  
  87. strings wannacry.exe | grep -i key
  88.  
  89. strings wannacry.exe | grep -i rsa
  90.  
  91. strings wannacry.exe | grep -i open
  92.  
  93. strings wannacry.exe | grep -i get
  94.  
  95. strings wannacry.exe | grep -i mutex
  96.  
  97. strings wannacry.exe | grep -i irc
  98.  
  99. strings wannacry.exe | grep -i join
  100.  
  101. strings wannacry.exe | grep -i admin
  102.  
  103. strings wannacry.exe | grep -i list
  104. ----------------------------------------------------------------------
  105.  
  106.  
  107.  
  108.  
  109.  
  110.  
  111.  
  112.  
  113.  
  114.  
  115. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
  116.  
  117. Quick Google search for "wannacry ransomeware analysis"
  118.  
  119.  
  120. Reference
  121. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  122.  
  123. - Yara Rule -
  124.  
  125.  
  126. Strings:
  127. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
  128. $s2 = “Wanna Decryptor” wide ascii nocase
  129. $s3 = “.wcry” wide ascii nocase
  130. $s4 = “WANNACRY” wide ascii nocase
  131. $s5 = “WANACRY!” wide ascii nocase
  132. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
  133.  
  134.  
  135.  
  136.  
  137.  
  138.  
  139.  
  140.  
  141. Ok, let's look for the individual strings
  142.  
  143.  
  144. ---------------------------Type This-----------------------------------
  145. strings wannacry.exe | grep -i ooops
  146.  
  147. strings wannacry.exe | grep -i wanna
  148.  
  149. strings wannacry.exe | grep -i wcry
  150.  
  151. strings wannacry.exe | grep -i wannacry
  152.  
  153. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
  154. ----------------------------------------------------------------------
  155.  
  156.  
  157.  
  158.  
  159.  
  160.  
  161. ####################################
  162. # Tired of GREP - let's try Python #
  163. ####################################
  164. Decided to make my own script for this kind of stuff in the future. I
  165.  
  166. Reference1:
  167. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
  168.  
  169. This is a really good script for the basics of static analysis
  170.  
  171. Reference:
  172. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
  173.  
  174.  
  175. This is really good for showing some good signatures to add to the Python script
  176.  
  177.  
  178. Here is my own script using the signatures (started this yesterday, but still needs work):
  179. https://pastebin.com/guxzCBmP
  180.  
  181.  
  182.  
  183. ---------------------------Type This-----------------------------------
  184. sudo apt install -y python-pefile
  185. infosecaddicts
  186.  
  187.  
  188.  
  189. wget https://pastebin.com/raw/guxzCBmP
  190.  
  191.  
  192. mv guxzCBmP am.py
  193.  
  194.  
  195. vi am.py
  196.  
  197. python am.py wannacry.exe
  198. ----------------------------------------------------------------------
  199.  
  200.  
  201.  
  202.  
  203.  
  204.  
  205.  
  206.  
  207.  
  208. ##############
  209. # Yara Ninja #
  210. ##############
  211. ----------------------------------------------------------------------
  212. cd ~/Desktop
  213.  
  214. sudo apt-get remove -y yara
  215. infosecaddcits
  216.  
  217. sudo apt -y install libtool
  218. infosecaddicts
  219.  
  220. wget https://github.com/VirusTotal/yara/archive/v3.6.0.zip
  221.  
  222.  
  223. unzip v3.6.0.zip
  224.  
  225. cd yara-3.6.0
  226.  
  227. ./bootstrap.sh
  228.  
  229. ./configure
  230.  
  231. make
  232.  
  233. sudo make install
  234. infosecaddicts
  235.  
  236. yara -v
  237.  
  238. cd ~/Desktop
  239. ----------------------------------------------------------------------
  240.  
  241.  
  242.  
  243. NOTE:
  244. McAfee is giving these yara rules - so add them to the hashes.txt file
  245.  
  246. Reference:
  247. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
  248.  
  249. ----------------------------------------------------------------------------
  250. rule wannacry_1 : ransom
  251. {
  252. meta:
  253. author = "Joshua Cannell"
  254. description = "WannaCry Ransomware strings"
  255. weight = 100
  256. date = "2017-05-12"
  257.  
  258. strings:
  259. $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
  260. $s2 = "Wanna Decryptor" wide ascii nocase
  261. $s3 = ".wcry" wide ascii nocase
  262. $s4 = "WANNACRY" wide ascii nocase
  263. $s5 = "WANACRY!" wide ascii nocase
  264. $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
  265.  
  266. condition:
  267. any of them
  268. }
  269.  
  270. ----------------------------------------------------------------------------
  271. rule wannacry_2{
  272. meta:
  273. author = "Harold Ogden"
  274. description = "WannaCry Ransomware Strings"
  275. date = "2017-05-12"
  276. weight = 100
  277.  
  278. strings:
  279. $string1 = "msg/m_bulgarian.wnry"
  280. $string2 = "msg/m_chinese (simplified).wnry"
  281. $string3 = "msg/m_chinese (traditional).wnry"
  282. $string4 = "msg/m_croatian.wnry"
  283. $string5 = "msg/m_czech.wnry"
  284. $string6 = "msg/m_danish.wnry"
  285. $string7 = "msg/m_dutch.wnry"
  286. $string8 = "msg/m_english.wnry"
  287. $string9 = "msg/m_filipino.wnry"
  288. $string10 = "msg/m_finnish.wnry"
  289. $string11 = "msg/m_french.wnry"
  290. $string12 = "msg/m_german.wnry"
  291. $string13 = "msg/m_greek.wnry"
  292. $string14 = "msg/m_indonesian.wnry"
  293. $string15 = "msg/m_italian.wnry"
  294. $string16 = "msg/m_japanese.wnry"
  295. $string17 = "msg/m_korean.wnry"
  296. $string18 = "msg/m_latvian.wnry"
  297. $string19 = "msg/m_norwegian.wnry"
  298. $string20 = "msg/m_polish.wnry"
  299. $string21 = "msg/m_portuguese.wnry"
  300. $string22 = "msg/m_romanian.wnry"
  301. $string23 = "msg/m_russian.wnry"
  302. $string24 = "msg/m_slovak.wnry"
  303. $string25 = "msg/m_spanish.wnry"
  304. $string26 = "msg/m_swedish.wnry"
  305. $string27 = "msg/m_turkish.wnry"
  306. $string28 = "msg/m_vietnamese.wnry"
  307.  
  308.  
  309. condition:
  310. any of ($string*)
  311. }
  312. ----------------------------------------------------------------------------
  313.  
  314.  
  315. #######################
  316. # External DB Lookups #
  317. #######################
  318.  
  319. Creating a malware database (sqlite)
  320. ---------------------------Type This-----------------------------------
  321. sudo apt install -y python-simplejson python-simplejson-dbg
  322. infosecaddicts
  323.  
  324.  
  325.  
  326. wget https://raw.githubusercontent.com/mboman/mart/master/bin/avsubmit.py
  327.  
  328.  
  329.  
  330. python avsubmit.py -f wannacry.exe -e
  331. ----------------------------------------------------------------------
  332.  
  333. Analysis of the file can be found at:
  334. http://www.threatexpert.com/report.aspx?md5=84c82835a5d21bbcf75a61706d8ab549
  335.  
  336.  
  337.  
  338.  
  339.  
  340.  
  341.  
  342.  
  343.  
  344. ###############################
  345. # Creating a Malware Database #
  346. ###############################
  347. Creating a malware database (mysql)
  348. -----------------------------------
  349. - Step 1: Installing MySQL database
  350. - Run the following command in the terminal:
  351. ---------------------------Type This-----------------------------------
  352. sudo apt install -y mysql-server
  353. infosecaddicts
  354.  
  355. - Step 2: Installing Python MySQLdb module
  356. - Run the following command in the terminal:
  357. ---------------------------Type This-----------------------------------
  358. sudo apt-get build-dep python-mysqldb
  359. infosecaddicts
  360.  
  361. sudo apt install -y python-mysqldb
  362. infosecaddicts
  363.  
  364. Step 3: Logging in
  365. Run the following command in the terminal:
  366. ---------------------------Type This-----------------------------------
  367. mysql -u root -p (set a password of 'malware')
  368.  
  369. - Then create one database by running following command:
  370.  
  371. create database malware;
  372.  
  373. exit;
  374.  
  375. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
  376.  
  377. vi mal_to_db.py (fill in database connection information)
  378.  
  379. python mal_to_db.py -i
  380.  
  381. ------- check it to see if the files table was created ------
  382.  
  383. mysql -u root -p
  384. malware
  385.  
  386. show databases;
  387.  
  388. use malware;
  389.  
  390. show tables;
  391.  
  392. describe files;
  393.  
  394. exit;
  395.  
  396. ---------------------------------
  397.  
  398.  
  399. - Now add the malicious file to the DB
  400. ---------------------------Type This-----------------------------------
  401. python mal_to_db.py -f wannacry.exe -u
  402.  
  403.  
  404.  
  405. - Now check to see if it is in the DB
  406. ---------------------------Type This-----------------------------------
  407. mysql -u root -p
  408. malware
  409.  
  410. mysql> use malware;
  411.  
  412. select id,md5,sha1,sha256,time FROM files;
  413.  
  414. mysql> quit;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement