WannaCry Ransomeware Analysis

1. ################################
2. # Good references for WannaCry #
3. ################################
4.  
5. References:
6.  
7. https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
8. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
9. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
10.  
11.  
12.  
13. ############################
14. # Download the Analysis VM #
15. ############################
16. https://s3.amazonaws.com/infosecaddictsvirtualmachines/InfoSecAddictsVM.zip
17. user: infosecaddicts
18. pass: infosecaddicts
19.  
20.  
21.  
22. - Log in to your Ubuntu system with the username 'infosecaddicts' and the password 'infosecaddicts'.
23.  
24.  
25.  
26.  
27.  
28.  
29. ################
30. # The Scenario #
31. ################
32. You've come across a file that has been flagged by one of your security products (AV Quarantine, HIPS, Spam Filter, Web Proxy, or digital forensics scripts).
33.  
34.  
35. The fastest thing you can do is perform static analysis.
36.  
37.  
38.  
39. ###################
40. # Static Analysis #
41. ###################
42.  
43. - After logging please open a terminal window and type the following commands:
44.  
45.  
46. ---------------------------Type This-----------------------------------
47. cd Desktop/
48.  
49. wget https://s3.amazonaws.com/infosecaddictsfiles/wannacry.zip
50.  
51. unzip wannacry.zip
52. infected
53.  
54. file wannacry.exe
55.  
56. mv wannacry.exe malware.pdf
57.  
58. file malware.pdf
59.  
60. mv malware.pdf wannacry.exe
61.  
62. hexdump -n 2 -C wannacry.exe
63.  
64. ----------------------------------------------------------------------
65.  
66.  
67. ***What is '4d 5a' or 'MZ'***
68. Reference:
69. http://www.garykessler.net/library/file_sigs.html
70.  
71.  
72.  
73.  
74. ---------------------------Type This-----------------------------------
75. objdump -x wannacry.exe
76.  
77. strings wannacry.exe
78.  
79. strings --all wannacry.exe | head -n 6
80.  
81. strings wannacry.exe | grep -i dll
82.  
83. strings wannacry.exe | grep -i library
84.  
85. strings wannacry.exe | grep -i reg
86.  
87. strings wannacry.exe | grep -i key
88.  
89. strings wannacry.exe | grep -i rsa
90.  
91. strings wannacry.exe | grep -i open
92.  
93. strings wannacry.exe | grep -i get
94.  
95. strings wannacry.exe | grep -i mutex
96.  
97. strings wannacry.exe | grep -i irc
98.  
99. strings wannacry.exe | grep -i join
100.  
101. strings wannacry.exe | grep -i admin
102.  
103. strings wannacry.exe | grep -i list
104. ----------------------------------------------------------------------
105.  
106.  
107.  
108.  
109.  
110.  
111.  
112.  
113.  
114.  
115. Hmmmmm.......what's the latest thing in the news - oh yeah "WannaCry"
116.  
117. Quick Google search for "wannacry ransomeware analysis"
118.  
119.  
120. Reference
121. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
122.  
123. - Yara Rule -
124.  
125.  
126. Strings:
127. $s1 = “Ooops, your files have been encrypted!” wide ascii nocase
128. $s2 = “Wanna Decryptor” wide ascii nocase
129. $s3 = “.wcry” wide ascii nocase
130. $s4 = “WANNACRY” wide ascii nocase
131. $s5 = “WANACRY!” wide ascii nocase
132. $s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase
133.  
134.  
135.  
136.  
137.  
138.  
139.  
140.  
141. Ok, let's look for the individual strings
142.  
143.  
144. ---------------------------Type This-----------------------------------
145. strings wannacry.exe | grep -i ooops
146.  
147. strings wannacry.exe | grep -i wanna
148.  
149. strings wannacry.exe | grep -i wcry
150.  
151. strings wannacry.exe | grep -i wannacry
152.  
153. strings wannacry.exe | grep -i wanacry **** Matches $s5, hmmm.....
154. ----------------------------------------------------------------------
155.  
156.  
157.  
158.  
159.  
160.  
161. ####################################
162. # Tired of GREP - let's try Python #
163. ####################################
164. Decided to make my own script for this kind of stuff in the future. I
165.  
166. Reference1:
167. https://s3.amazonaws.com/infosecaddictsfiles/analyse_malware.py
168.  
169. This is a really good script for the basics of static analysis
170.  
171. Reference:
172. https://joesecurity.org/reports/report-db349b97c37d22f5ea1d1841e3c89eb4.html
173.  
174.  
175. This is really good for showing some good signatures to add to the Python script
176.  
177.  
178. Here is my own script using the signatures (started this yesterday, but still needs work):
179. https://pastebin.com/guxzCBmP
180.  
181.  
182.  
183. ---------------------------Type This-----------------------------------
184. sudo apt install -y python-pefile
185. infosecaddicts
186.  
187.  
188.  
189. wget https://pastebin.com/raw/guxzCBmP
190.  
191.  
192. mv guxzCBmP am.py
193.  
194.  
195. vi am.py
196.  
197. python am.py wannacry.exe
198. ----------------------------------------------------------------------
199.  
200.  
201.  
202.  
203.  
204.  
205.  
206.  
207.  
208. ##############
209. # Yara Ninja #
210. ##############
211. ----------------------------------------------------------------------
212. cd ~/Desktop
213.  
214. sudo apt-get remove -y yara
215. infosecaddcits
216.  
217. sudo apt -y install libtool
218. infosecaddicts
219.  
220. wget https://github.com/VirusTotal/yara/archive/v3.6.0.zip
221.  
222.  
223. unzip v3.6.0.zip
224.  
225. cd yara-3.6.0
226.  
227. ./bootstrap.sh
228.  
229. ./configure
230.  
231. make
232.  
233. sudo make install
234. infosecaddicts
235.  
236. yara -v
237.  
238. cd ~/Desktop
239. ----------------------------------------------------------------------
240.  
241.  
242.  
243. NOTE:
244. McAfee is giving these yara rules - so add them to the hashes.txt file
245.  
246. Reference:
247. https://securingtomorrow.mcafee.com/executive-perspectives/analysis-wannacry-ransomware-outbreak/
248.  
249. ----------------------------------------------------------------------------
250. rule wannacry_1 : ransom
251. {
252. meta:
253. author = "Joshua Cannell"
254. description = "WannaCry Ransomware strings"
255. weight = 100
256. date = "2017-05-12"
257.  
258. strings:
259. $s1 = "Ooops, your files have been encrypted!" wide ascii nocase
260. $s2 = "Wanna Decryptor" wide ascii nocase
261. $s3 = ".wcry" wide ascii nocase
262. $s4 = "WANNACRY" wide ascii nocase
263. $s5 = "WANACRY!" wide ascii nocase
264. $s7 = "icacls . /grant Everyone:F /T /C /Q" wide ascii nocase
265.  
266. condition:
267. any of them
268. }
269.  
270. ----------------------------------------------------------------------------
271. rule wannacry_2{
272. meta:
273. author = "Harold Ogden"
274. description = "WannaCry Ransomware Strings"
275. date = "2017-05-12"
276. weight = 100
277.  
278. strings:
279. $string1 = "msg/m_bulgarian.wnry"
280. $string2 = "msg/m_chinese (simplified).wnry"
281. $string3 = "msg/m_chinese (traditional).wnry"
282. $string4 = "msg/m_croatian.wnry"
283. $string5 = "msg/m_czech.wnry"
284. $string6 = "msg/m_danish.wnry"
285. $string7 = "msg/m_dutch.wnry"
286. $string8 = "msg/m_english.wnry"
287. $string9 = "msg/m_filipino.wnry"
288. $string10 = "msg/m_finnish.wnry"
289. $string11 = "msg/m_french.wnry"
290. $string12 = "msg/m_german.wnry"
291. $string13 = "msg/m_greek.wnry"
292. $string14 = "msg/m_indonesian.wnry"
293. $string15 = "msg/m_italian.wnry"
294. $string16 = "msg/m_japanese.wnry"
295. $string17 = "msg/m_korean.wnry"
296. $string18 = "msg/m_latvian.wnry"
297. $string19 = "msg/m_norwegian.wnry"
298. $string20 = "msg/m_polish.wnry"
299. $string21 = "msg/m_portuguese.wnry"
300. $string22 = "msg/m_romanian.wnry"
301. $string23 = "msg/m_russian.wnry"
302. $string24 = "msg/m_slovak.wnry"
303. $string25 = "msg/m_spanish.wnry"
304. $string26 = "msg/m_swedish.wnry"
305. $string27 = "msg/m_turkish.wnry"
306. $string28 = "msg/m_vietnamese.wnry"
307.  
308.  
309. condition:
310. any of ($string*)
311. }
312. ----------------------------------------------------------------------------
313.  
314.  
315. #######################
316. # External DB Lookups #
317. #######################
318.  
319. Creating a malware database (sqlite)
320. ---------------------------Type This-----------------------------------
321. sudo apt install -y python-simplejson python-simplejson-dbg
322. infosecaddicts
323.  
324.  
325.  
326. wget https://raw.githubusercontent.com/mboman/mart/master/bin/avsubmit.py
327.  
328.  
329.  
330. python avsubmit.py -f wannacry.exe -e
331. ----------------------------------------------------------------------
332.  
333. Analysis of the file can be found at:
334. http://www.threatexpert.com/report.aspx?md5=84c82835a5d21bbcf75a61706d8ab549
335.  
336.  
337.  
338.  
339.  
340.  
341.  
342.  
343.  
344. ###############################
345. # Creating a Malware Database #
346. ###############################
347. Creating a malware database (mysql)
348. -----------------------------------
349. - Step 1: Installing MySQL database
350. - Run the following command in the terminal:
351. ---------------------------Type This-----------------------------------
352. sudo apt install -y mysql-server
353. infosecaddicts
354.  
355. - Step 2: Installing Python MySQLdb module
356. - Run the following command in the terminal:
357. ---------------------------Type This-----------------------------------
358. sudo apt-get build-dep python-mysqldb
359. infosecaddicts
360.  
361. sudo apt install -y python-mysqldb
362. infosecaddicts
363.  
364. Step 3: Logging in
365. Run the following command in the terminal:
366. ---------------------------Type This-----------------------------------
367. mysql -u root -p (set a password of 'malware')
368.  
369. - Then create one database by running following command:
370.  
371. create database malware;
372.  
373. exit;
374.  
375. wget https://raw.githubusercontent.com/dcmorton/MalwareTools/master/mal_to_db.py
376.  
377. vi mal_to_db.py (fill in database connection information)
378.  
379. python mal_to_db.py -i
380.  
381. ------- check it to see if the files table was created ------
382.  
383. mysql -u root -p
384. malware
385.  
386. show databases;
387.  
388. use malware;
389.  
390. show tables;
391.  
392. describe files;
393.  
394. exit;
395.  
396. ---------------------------------
397.  
398.  
399. - Now add the malicious file to the DB
400. ---------------------------Type This-----------------------------------
401. python mal_to_db.py -f wannacry.exe -u
402.  
403.  
404.  
405. - Now check to see if it is in the DB
406. ---------------------------Type This-----------------------------------
407. mysql -u root -p
408. malware
409.  
410. mysql> use malware;
411.  
412. select id,md5,sha1,sha256,time FROM files;
413.  
414. mysql> quit;