Static and Dynamic Analysis of Wannacry Ransomware: July 2018

Download as pdf or txt
Download as pdf or txt
You are on page 1of 6

See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/332144343

Static and Dynamic Analysis of WannaCry Ransomware

Conference Paper · July 2018

CITATIONS READS
8 4,692

4 authors, including:

Vassilios Vassilakis Ioannis D. Moscholios


The University of York University of Peloponnese
120 PUBLICATIONS   921 CITATIONS    199 PUBLICATIONS   1,669 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Adversarial Attacks Against Machine Learning-Based Spam Detection Models in Online Social Networks (OSNs) and Countermeasures View project

Security for 5G technologies. View project

All content following this page was uploaded by Vassilios Vassilakis on 02 April 2019.

The user has requested enhancement of the downloaded file.


Static and Dynamic Analysis of WannaCry
Ransomware

Maxat Akbanov∗ , Vassilios G. Vassilakis∗ , Ioannis D. Moscholios† , Michael D. Logothetis‡


∗ Dept. of Computer Science, University of York, York, United Kingdom
† Dept. of Informatics & Telecommunications, University of Peloponnese, Tripolis, Greece
‡ Dept. of Electrical & Computer Engineering, University of Patras, Patras, Greece

Abstract—Nowadays ransomware presents a huge and the designing and developing effective ransomware detection and
fastest growing problem for all types of users from small mitigation mechanisms.
households to large corporations and government bodies. Modern
day ransomware families implement sophisticated encryption and The rest of paper is organized as follows. In Section II, we
propagation schemes, thus limiting chances to recover the data present the relevant background information on ransomware
almost to zero. In order to design and develop appropriate in general and on WannaCry in particular. In Sections III, IV,
detection and mitigation mechanisms it is important to perform and V, we present the main findings from our conducted static
ransomware analysis and indemnify its features. In this work, we and dynamic analysis of WannaCry, including its inherent
present our ransomware analysis results focusing on the infamous network indicators. Finally, Section VI draws the conclusions
WannaCry ransomware. In particular, the presented research
and discusses potential future directions.
examines the WannaCry behaviour during its execution in a
purpose-built virtual lab environment. We perform static and
dynamic analysis using a wide range of malware analysis tools. II. BACKGROUND
The obtained results can be used for developing appropriate
detection and mitigation mechanisms for WannaCry or other A. The Basics of Ransomware
ransomware families that exhibit similar behaviour.
Ransomware presents a type of malicious software that
Keywords—Malware analysis, ransomware, WannaCry prevents or limits users from accessing their system, either
by locking the screen or by encrypting files, until a ransom is
paid [3]. Typically, two types of ransomware are distinguished:
I. I NTRODUCTION lockers and cryptors [2]. Lockers present a less sophisticated
type of ransomware which simply locks the device’s user
Currently ransomware threat is considered as the main interface, preventing from logging in and accessing programs
moneymaking scheme for cyber criminals and the key threat and data. In most cases it leaves the user with very few
to the Internet users [1], [2]. Starting from relatively simple capabilities such as allowing the victim just to communicate
fake antivirus applications in 2008, ransomware has evolved with the attacker and pay the ransom. Lockers usually can be
during the time and emerged into sophisticated forms such as removed cleanly, as they leave the underlying system and files
crypto type ransomware. The apotheosis of this evolution is untouched. This makes lockers less effective at extracting ran-
the occurrence of a new type of ransomware which combines som payments compared with their more destructive relatives
the usage of exploits with worm-like spreading mechanisms - cryptors.
to propagate itself in both internal and external networks.
Moreover, the emergence of new types of ransomware, such On the other hand, cryptors represent an advanced type of
as WannaCry, showed that ransomware keeps evolving and ransomware which aims at encrypting specific files of the in-
cyber criminals are upgrading the ransomware code with more fected system. Cryptors use a variety of different cryptographic
sophisticated features, such as worm propagation components algorithms, including both symmetric and public-key based.
and public-key encryption mechanisms. Therefore, from the Cryptors that rely on public-key encryption are particularly
research perspective, the design of new countermeasures apart difficult to mitigate, since the encryption keys are stored
from traditional security approaches, is considered as important in a remote command and control (C&C) server. Cryptors
and trending task in this field. Such designs, however, require a typically include a time limit for ransom to be paid and provide
comprehensive analysis of ransomware features and behaviour users with a special website to purchase cryptocurrency (e.g.,
which typically involve a wide range malware analysis tools. Bitcoins) and step-by-step instructions on how to pay the
ransom. The lifecycle of modern day ransomware typically
In this work, we have performed a comprehensive analysis consists of the following steps [4]: distribution, infection, com-
of the infamous WannaCry ransomware. We present both static munications, file search, file encryption, and ransom demand.
and dynamic analysis results. The presented techniques are
applicable also in the cases of other ransomware families with B. The Basics of WannaCry
characteristics similar to WannaCry, such as worm-spreading
mechanisms and public-key based encryption. In particular, the WannaCry ransomware (also known as Wana Decrypt0r,
presented research examines the WannaCry behaviour during WCry, WannaCry, WannaCrypt, and WanaCrypt0r) was ob-
its execution in a safe purpose-built virtual lab environment at served during a massive attack across multiple countries on
the University of York. The obtained results can be used for 12 May 2017 [5]. According to the multiple reports from
security vendors, in total 300 000 systems in over 150 countries
TABLE I. WANNAC RY COMPONENTS .
had been severely damaged. The attack affected a wide range
of sectors, including healthcare, government, telecommunica- Worm Component
MD5 db349b97c37d22f5ea1d1841e3c89eb4
tions, and gas/oil production. SHA1 e889544aff85ffaf8b0d0da705105dee7c97fe26
SHA256 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa
A difficulty of protecting against WannaCry lies in its 614ea04703480b1022c
ability to spread itself to other systems by using a worm File Type PE32 executable (GUI) Intel 80386, for MSWindows
component. This feature makes the attacks more effective and Encryption Component
requires defense mechanisms that can react quickly and in real MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
time. Furthermore, WannaCry has an encryption component SHA256 ed01ebfbc9eb5bbea545af4d01bf5f107166184048043
that is based on public-key cryptography. 9c6e5babe8e080e41aa
File Type PE32 executable (GUI) Intel 80386, for MSWindows
During the infection phase, WannaCry uses the EternalBlue
and DoublePulsar exploits, that were allegedly leaked in April
2017 by a group called The Shadow Brokers. EternalBlue
exploits the server message block (SMB) vulnerability that TABLE II. DLL S INVOKED BY WANNAC RY WORM COMPONENT.
was patched by Microsoft on March 14, 2017 and has been
Library Imports Description
described in the security bulletin MS17-010 [6]. This vulner- ws2 32.dll 3 Windows Socket 2.0 32-bit
ability allows the adversaries to execute remote code on the iphlpapi.dll 2 IP Helper API
infected machines by sending specially crafted messages to wininet.dll 3 Internet Extensions for Win32
kernel32.dll 32 Windows NT BASE API Client
an SMBv1 server, connecting to TCP ports 139 and 445 of advapi32.dll 11 Advanced Windows 32 Base API
unpatched Windows systems. In particular, this vulnerability msvcp60.dll 2 Windows NT C++ Runtime Library
affects all unpatched Windows versions starting from Windows msvcrt.dll 28 Windows NT CRT
XP to Windows 8.1, except for Windows 10.
DoublePulsar is a persistent backdoor that can be used
to access and execute code on previously compromised sys- TABLE III. DLL S INVOKED BY WANNAC RY ENCRYPTION
tems, thus allowing the attackers to install additional malware COMPONENT.
on the system. During the distribution process, WannaCry’s Library Imports Description
worm component uses the EternalBlue for the initial infection kernel32.dll 54 Windows NT BASE API Client
through the SMB vulnerability by actively probing appropriate advapi32.dll 10 Advanced Windows 32 Base API
user32.dll 1 Multi-UserWindows USER API Client
TCP ports and if successful, tries to implant the DoublePulsar msvcrt.dll 49 Windows NT CRT
backdoor on the infected systems.

III. WANNAC RY S TATIC A NALYSIS


TABLE IV. WANNAC RY WORM COMPONENT FUNCTIONS .
In this section, we present our findings from static analysis
of WannaCry. To perform the analysis, two virtual machines Function Location
GetCurrentThread 0xa53a
(VMs) were used. The characteristics of the host machine GetStartupInfoA 0xa97a
are: Intel Core i7-4700MQ 2.40 GHz and 16 GB RAM. The StartServiceCtrDispatcherA 0xa6f6
1st VM was running Windows 7 SP1 and was infected with RegisterServiceCtrDispatcherA 0xa6d8
CreateServiceA 0xa688
WannaCry. The 2nd VM was running REMnux [7], which StartServiceA 0xa662
is a free Linux toolkit for reverse-engineering and malware CryptGenRandom 0xa650
analysis. CryptAcquireContextA 0xa638
OpenServiceA 0xa714
Samples of WannaCry were obtained from VirusShare [8]. GetAdaptersInfo 0xa792
InternetOpenUrlA 0xa7c8
In particular, we analyzed two executable files: the worm
component and the encryption component (Table I). Below
we describe our main findings.
Analysis with Pestudio tool [9] has revealed that the worm TABLE V. WANNAC RY ENCRYPTION COMPONENT FUNCTIONS .
and the encryption components contain dynamic-link libraries Function Location
(DLLs), as shown in Tables II and III. During its execution, OpenMutexA 0xda84
the worm invokes iphlpapi.dll in order to retrieve network GetComputerNameW 0xd8b2
CreateServiceA 0xdc2a
configuration settings for the infected host. The kernel32.dll OpenServiceA 0xdc62
and msvcrt.dll are two most invoked libraries by the encryption StartServiceA 0xdc52
component. This may indicate that the main WannaCry en- CryptReleaseContext 0xdc14
RegCreateKeyW 0xdc04
cryption functionality was implemented by these two libraries. fopen 0xdcd4
To confirm this, the imported functions of the libraries were fread 0xdccc
observed with Pestudio. As it is shown in Tables IV and V, in fwrite 0xdcc2
general WannaCry uses Microsoft’s crypto, file management fclose 0xdcb8
CreateFileA 0xd922
and C runtime file application programming interfaces (APIs). ReadFile 0xd964
The Crypto API library is used to generate and manage random
symmetric and asymmetric cryptographic keys.
IV. WANNAC RY DYNAMIC A NALYSIS
In this section, we present our findings from dynamic
analysis of WannaCry. To this end, a virtual testbed of Fig.
1 was built. In particular, a custom network VMnet 5 -
192.168.180.0/24 was created with the Virtual Network Editor
option in VMWare hypervisor. This scheme allows observing
domain name system (DNS) queries made by WannaCry
during the infection and replication process, as performed by
the worm component across the internal and external networks
via port 445 of SMBv1 protocol. The REMnux machine acts
as DNS and HTTP server, and is able to intercept all network
communications using Wireshark. DNS and HTTP services in
REMnux were enabled using the FakeDNS and HTTP Daemon
utilities, respectively.
Our dynamic analysis has revealed that, upon startup, the
worm component tries to connect to the following domain,
using the InernetOpenUrl function:
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
The aforementioned domain is a kill-switch domain. That
is, if the domain is active, the worm component stops running.
On the other hand, if the worm component cannot establish a
connection with this domain (e.g., if the domain is not active Fig. 1. Testbed for dynamic WannaCry analysis.
or if there is no connectivity), it continues to run and registers
itself as a “Microsoft Security Center (2.0) Service” mssecsvs
2.0 process on the infected machine. information obtained from the system by malicious
The FakeDNS utility at REMnux captures the malicious WannaCry functions.
DNS request on port 80 (Fig. 2), while Wireshark shows (Fig. • b.wnry is an image file used for displaying instructions
3) the DNS packet query field from the infected machine for the decryption of user files. It starts with 42 4D
(IP 192.168.180.130) to the DNS server on REMnux (IP strings, which indicates that this file is a bitmap image.
192.168.180.128).
• c.wnry contains a list of Tor addresses with .onion
After installing itself as a service, the worm component
extension and a link to a zipped installation file of the
extracts the hardcoded R resource and then copies it to
Tor browser from Tor Project [11].
C:\Windows\taskche.exe. The R resource represents the binary
of the WannaCry encryption component. During its execution • r.wnry is a text file in English with additional de-
the encryption component checks if one of the following cryption instructions to be used by the decryption
mutual exclusion objects (mutexes) exists: component (the u.wnry file mentioned below).
GlobalnM sW inZonesCacheCounterM utexA • s.wnry file is a ZIP archive (HEX signature 50 4B 03
GlobalnM sW inZonesCacheCounterM utexW 04) which contains the Tor software executable. This
M sW inZonesCacheCounterM utexA executable has been obtained with the assistance of
the WinHex tool [12] by saving raw binary data with
If the mutex is present on the system, then the encryption
.zip extension.
component automatically stops without taking any further
actions. Otherwise, the encryption process starts. To encrypt • t.wnry is an encrypted file with WANACRY! encryption
each file, a different 16-byte symmetric AES key is generated format. The file header starts with the WANACRY!
using the CryptGenRandom function. Then, every generated string.
AES key is encrypted with the public RSA key (which is
part of the encryption component) and stored inside the file • taskdl.exe is a supporting tool for the deletion of files
header starting with WANACRY! string value. Encrypted files with .WNCRY extension. By observing the properties
are renamed and added with the .WNCRY file extension. of the file, the following masquerade description can
The encryption component contains a password-protected ZIP be found: “SQL Client Configuration Utility”.
archive. We managed to obtain the password, “WNcry@2ol7”,
• taskse.exe is a supporting tool for malware execu-
by disassembling the encrypter with the IDA Pro tool [10] (see
tion on remote desktop protocol (RDP) sessions. The
Fig. 4). The contents of the ZIP archive are summarized in
following file description was identified:“ waitfor -
Table VI and described below:
wait/send a signal over a network”.
• msg is a folder that contains a list of rich text format
(RTF) files with wnry extension. These files are the • u.wnry is an executable file (HEX signature 4D 5A)
readme instructions used to show the extortion mes- with name “@[email protected]”, which repre-
sage to the victim in different languages, based on the sents the decryption component of WannaCry.
Fig. 2. FakeDNS capture of the malicious DNS request.

Fig. 5. WannaCry internal network traffic attempting the SMB exploit.

TABLE VI. F ILES IN THE PASSWORD PROTECTED ZIP ARCHIVE .


Name Size (bytes) Modified
Fig. 3. Wireshark capture of the malicious DNS request. msg 1,329,657 2017-05-11
b.wnry 1,440,054 2017-05-11
c.wnry 780 2017-05-11
r.wnry 864 2017-05-10
Our dynamic analysis has also revealed that, to achieve s.wnry 3,038,286 2017-05-09
persistence on the infected machine, WannaCry performs the t.wnry 65,816 2017-05-11
following actions: taskdl.exe 20,480 2017-05-11
taskse.exe 20,480 2017-05-11
• Creates an entry in the Windows registry to ensure u.wnry 245,760 2017-05-11

that it executes every time the machine is restarted.


• Attempts to achieve memory persistence by adding
itself to the AutoRun feature of Windows. After that, the worm component tries to connect to all pos-
sible IP addresses in any available local network, on TCP port
• Uses Windows “icacls” command to grant itself a full 445 (the default port for SMB over IP service). If successful,
access to all files on the machine. the worm component attempts to exploit the service for vul-
nerability described in MS17-010 [6]. During our experiments,
• Deletes all backup (shadow) copies and tries to pre-
connection attempts were observed with Wireshark in REM-
vent being booted in safe mode by executing several
nux, when the infected machine (IP 192.168.180.130) sent
commands in Windows command line.
SMB probe packets to a Windows host (IP 192.168.180.134),
• Deletes all backup catalogs. as shown in Fig. 5.
• By using Winsdows command line, creates a VBScript At the same time, the worm component attempts to spread
program which generates a single shortcut of WanaDe- across the external networks by generating various IP addresses
[email protected] decrypter file. and trying to connect to TCP port 445. This can be observed
with Wireshark on REMnux, as shown in Fig. 6. The full list of
• Tries to kill SQL and MS Exchange database pro-
WannaCry generated IP addresses obtained during our analysis
cesses by executing several commands in Windows
is presented in Table VII.
command line.
During the SMB probing by WannaCry, one of the unique
V. WANNAC RY C OMMUNICATIONS features of the generated traffic is that it contains two hard-
coded IP addresses: 192.168.56.20 and 172.16.99.5. They can
After performing initial interactions and checking connec- be observed by extracting strings from the binary. In partic-
tivity with the kill-switch domain, the worm functionality ular, WannaCry sends three NetBIOS session setup packets,
is established by initiating the mssecsvs 2.0 service. This where two of them contain the aforementioned hadrcoded IP
service tries to spread WannaCry’s payload through the SMB addresses.
vulnerability on any vulnerable system.
During its execution, WannaCry also tries to contact the
In order to perform this, WannaCry creates two separate
threads that simultaneously replicate the payload in internal
(local) and external networks. In the internal network, before
starting the propagation process, the worm component obtains
the IP addresses of local network interfaces by invoking the
GetAdaptersInfo function and determining the existing subnets.

Fig. 4. Password for a ZIP archive in the encryption component. Fig. 6. WannaCry external network traffic attempting the SMB exploit.
TABLE VII. E XTERNAL IP ADDRESSES GENERATED BY WANNAC RY.
R EFERENCES
IP address : port
109.140.223.210 : 445 [1] D. O’Brien, “Ransomware 2017”, Internet Security Threat Report,
206.242.244.156 : 445 Symantec, July 2017.
52.213.90.240 : 445 [2] K. Savage, P. Coogan, and H. Lau, “The Evolution of Ransomware”,
202.76.26.154 : 445 Security Response, Symantec, June 2015.
205.215.5.24 : 445
80.133.73.130 : 445 [3] C. Everett, “Ransomware: To pay or not to pay?,” Computer Fraud &
198.73.58.205 : 445 Security, vol. 4, pp. 8-12, April 2016.
40.188.28.244 : 445 [4] McAfee Labs, “Understanding ransomware and strategies to defeat it,”
184.55.110.103 : 445 White Paper, 2016.
[5] Symantec, “What you need to know about the WannaCry ransomware,”
Threat Intelligence, October 2017.
[6] Microsoft Security Bulletin MS17-010 - Critical, March 14, 2017.
C&C servers by parsing the contents of c.wnry, which specifies [7] REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing
the configuration data, including the following .onion addresses Malware, https://remnux.org, accessed June 12, 2018.
to connect and the zipped Tor browser installation file: [8] ViRus Share malware repository, https://virusshare.com, accessed June
12, 2018.
gx7ekbenv2riucmf.onion [9] Pestudio, Malware Assessment Tool, https://www.winitor.com, accessed
June 12, 2018.
57g7spgrzlojinas.onion [10] IDA Pro, https://www.hex-rays.com/products/ida, accessed June 12,
xxlvbrloxvriy2c5.onion 2018.
76jdd2ir2embyv47.onion [11] Tor Project, https://www.torproject.org, accessed June 12, 2018.
[12] WinHex: Computer Forensics and Data Recovery Software,
cwwnhwhlz52maqm7.onion https://www.x-ways.net/winhex, accessed June 12, 2018.
https : //dist.torporject.org/torbrowser/6.5.1/tor [13] B. Nunes, M. Mendonca, X. N. Nguyen, K. Obraczka, and T. Turletti,
− win32 − 0.2.9.10.zip “A survey of software-defined networking: Past, present, future of
programmable networks,” IEEE Communications Surveys & Tutorials,
vol. 16, no. 3, pp. 1617-1634, Feb. 2014.
During its communication with Tor addresses, WannaCry [14] V. G. Vassilakis, I. D. Moscholios, B. A. Alzahrani, and M. D.
establishes a secure HTTPS channel to port 443, and uses Logothetis, “A software-defined architecture for next-generation cellular
common Tor ports, 9001 and 9050, for network traffic and networks,” Proc. IEEE International Conference on Communications
(ICC), Kuala Lumpur, Malaysia, May 2016.
directory information.
[15] C. Yoon, T. Park, S. Lee, H. Kang, S. Shin, and Z. Zhang, “Enabling
security functions with SDN: A feasibility study,” Computer Networks,
vol. 85, pp. 1935, July 2015.
[16] J. M. Ceron, C. B. Margi, and L. Z. Granville, “MARS: An SDN-based
VI. C ONCLUSION AND F UTURE W ORK malware analysis solution,” Proc. IEEE Symposium on Computers and
Communication (ISCC), Messina, Italy, August 2016.
We have performed static and dynamic analysis of Wan- [17] V. G. Vassilakis, I. D. Moscholios, B. A. Alzahrani, and M. D. Lo-
naCry ransomware. Both worm and encryption components of gothetis, “On the security of software-defined next-generation cellular
WannaCry have been examined using a wide range of reverse networks,” Proc. IEICE Information and Communication Technology
engineering and malware analysis tools. Our static analysis Forum (ICTF), Patras, Greece, July 2016.
has revealed important information regarding the DLLs and [18] K. Cabaj and W. Mazurczyk, “Using software-defined networking for
the main Windows functions used by WannaCry, as well as ransomware mitigation: The case of CryptoWall,” IEEE Network, vol.
30, no. 6, pp. 14-20, Dec. 2016
about additional tools, such as the decryption component. Our
[19] K. Cabaj, M. Gregorczyk, and W. Mazurczyk, “Software-defined
dynamic analysis has revealed important characteristics and networking-based crypto ransomware detection using HTTP traffic
behaviours of WannaCry during its execution. In particular, characteristics,” Computer & Electrical Engineering, vol. 66, pp. 353-
we identified Tor addresses used for C&C, observed TCP and 386, Feb. 2018.
DNS connections, and SMB probes, as well as actions related
to WannaCry persistence and obfuscation.

The findings of this work could be used for designing


effective and efficient mitigation mechanisms for WannaCry
and other ransomware families that exhibit similar behaviour.
This is left as future work. In particular, we plan to investigate
the use of software-defining networking (SDN) [13], [14] for
ransomware detection and mitigation. SDN is an emerging
paradigm of programmable networks, that decouples the con-
trol and data planes. SDN controllers maintain a view of the
entire network and implement policy decisions. On the other
hand, each device at the data plane maintains one or more
flow tables, where the packet handling rules are stored. This
changes the way that networks are designed and managed, and
enables new SDN-based security solutions [15]–[17] such as
firewalls and intrusion detection systems for various types of
malware, including ransomware mitigation [18], [19].

View publication stats

You might also like