wannacry DLL ops

*** DLL operations ***

1] Checks to see if task already running by attempting to open mutex with name MsWinZonesCacheCounterMutexA
If already exists, app exits

2] Obtains name of current directory.

3] Reads 780 bytes of information from c.wnry which it expects in current directory. This has
bitcoin and TOR info.

4] Checks if running as LocalSystem. Sets a flag used later when running @[email protected]

5] Resolves api from advapi32.dll

  CryptAcquireContextA
  CryptImportKey
  CryptDestroyKey
  CryptEncrypt
  CryptDecrypt
  CryptGenKey

6] Resolves api from kernel32.dll

  CreateFileW
  WriteFile
  ReadFile
  MoveFileW
  MoveFileExW
  DeleteFileW
  CloseHandle

7] Initializes names of files

00000000.res   - C2 communications
00000000.pky   - Public key used by the ransomware to encrypt the generated AES keys that are used to encrypt the user’s files
00000000.eky   - Encryption key for the t.wnry file which stores the actual file encryption component used by the ransomware.
                 It is encrypted using the public key that belongs to a private key embedded inside the ransomware.


8] creates mutex with name MsWinZonesCacheCounterMutexA and sets the security
ACL to allow EVERYONE full access


9] tries to open 00000000.dky. if available, will import key into Crypto API object.
presumably this would be decryption key from the authors of ransomware..


10] if cannot open *.dky file, will generate new RSA key pair of 2048-bits.
Public key is exported as blob and saved to 00000000.pky
Private key is exported as blob and encrypted with ransomware public key before being saved to 00000000.eky

The RSA public key used to encrypt the users RSA key pair is embedded inside the DLL.

unsigned char wc_key1[] =
{
  0x06, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53,
  0x41, 0x31, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
  0x75, 0x97, 0x4C, 0x3B, 0x84, 0x46, 0xDE, 0x2C, 0x2A, 0xF4,
  0x95, 0xA8, 0x5D, 0xC0, 0xCD, 0x6D, 0xDA, 0xD7, 0xD4, 0x92,
  0x1E, 0x13, 0x82, 0x34, 0x6A, 0x70, 0x8D, 0x8F, 0x7C, 0xF7,
  0x04, 0x92, 0x55, 0x7F, 0xF1, 0xA2, 0x27, 0xB2, 0x9E, 0x41,
  0xAC, 0x90, 0x80, 0x91, 0x18, 0x93, 0xC2, 0xB1, 0x7B, 0xAD,
  0x2B, 0xF3, 0xFF, 0xAF, 0xDB, 0x2B, 0x51, 0xBE, 0x1D, 0xA3,
  0x27, 0xE3, 0xA7, 0x57, 0x08, 0x5A, 0xBE, 0xC1, 0x1D, 0xF6,
  0x04, 0xF8, 0x1C, 0xBE, 0x5B, 0xB1, 0x67, 0xFB, 0xE4, 0xC8,
  0xDA, 0x75, 0x00, 0x70, 0xB1, 0x17, 0x70, 0x24, 0x6C, 0x09,
  0x63, 0x74, 0xAC, 0x4B, 0x0A, 0x1D, 0x71, 0xAE, 0x7F, 0xAE,
  0x65, 0xB8, 0xC5, 0x86, 0x79, 0xC5, 0x7E, 0x9F, 0x98, 0x60,
  0x4C, 0x52, 0xB9, 0x29, 0x62, 0xCB, 0x23, 0x29, 0xED, 0x31,
  0x91, 0x74, 0x7B, 0x7B, 0x0B, 0x26, 0x1B, 0xF2, 0x7D, 0x67,
  0xBF, 0xDA, 0x7A, 0x40, 0xDA, 0xF2, 0x61, 0x4D, 0x94, 0xA5,
  0x7D, 0xAD, 0x59, 0x6B, 0xAD, 0x9E, 0xA3, 0x3A, 0x39, 0xC6,
  0x5B, 0x6E, 0x9F, 0xD2, 0xBB, 0x36, 0xB5, 0xF5, 0xD2, 0x65,
  0xF5, 0x2C, 0x30, 0xD8, 0xC1, 0x17, 0xBD, 0xAF, 0x28, 0x00,
  0x96, 0x20, 0x46, 0xA7, 0x2D, 0x62, 0x03, 0x0C, 0xD7, 0xD0,
  0x75, 0xA0, 0x0B, 0x07, 0xEA, 0xD4, 0x1F, 0xCA, 0xE8, 0xD9,
  0x4E, 0xDB, 0x38, 0xF2, 0x26, 0x75, 0xCB, 0x12, 0xA6, 0x88,
  0x70, 0x9B, 0xE1, 0xEA, 0x32, 0xDC, 0xF8, 0x71, 0x72, 0x50,
  0x41, 0xE6, 0x17, 0x81, 0x68, 0x27, 0x42, 0x8E, 0xDF, 0xE5,
  0xDE, 0xA1, 0x72, 0xD9, 0x3B, 0xFB, 0xE5, 0x9D, 0x30, 0x11,
  0x69, 0x92, 0xCD, 0x60, 0x2B, 0xE2, 0xD5, 0x46, 0x3C, 0x28,
  0xCF, 0x9D, 0x30, 0x4A, 0xF7, 0xAD, 0xB9, 0xFB, 0x0F, 0x91,
  0xFE, 0x2E, 0xBE, 0x18, 0xF1, 0xCE
};

The AES-128 key generated for each file is derived from CryptGenRandom  which
is cryptographically secure and is not known to have any weakness.

The AES keys are encrypted using the users public key in *.pky.
In order to decrypt, we need the users private key which is
encrypted using a public key owned by the ransomware authors.

Presumably what authors do is decrypt the users private key in *.eky file
using their private key and then send the user a *.dky file
to decrypt files.