WannCry : Dissecting Its Packages & A Tool (Anti~WannaCry)

Author - Abdur Rafi, CISO, ABP Pvt. Ltd., India

A series of broad attack began that spread the latest version of the WanaCryptor ransomware. This attack, also referred to as WannaCrypt or WannaCry, reportedly impacted systems of public and private organizations worldwide.  The attack caused Britain's NHS to cancel surgeries, a wide array of Russian and Chinese private and public institutions to be crippled most of the day, and the rest of the world to recoil in shock.

Here's a solution : Anti-WannaCry, developed by ABP IT Security Team, in Kolkata DataCentre, India, launched on 15th May 2017.

Anti-WannaCry, is a complete framework, which not only find and remove any traces of WannaCry from the PC, but also actively stops any future infection, thus making the system immune from future Wannacry attacks.

It’s a self-contained client based solution. Its OS independent, but .NET framework version 4.5 is required.  

It works based on behavioral analysis and not signature dependent. It doesn’t require any internet connectivity or updates to work properly. It is also able to work in isolated systems where no network or internet is provided.

The structure of its 360 degree protection system will cover all these:

It monitors and protects all these vectors for WannaCry related infections, and actively stops its execution and growth. (See more on : https://youtu.be/sJzeb30SwBQ)

Please download a copy yourself to evaluate from here.

(Link was provided by author, please be careful while navigating outside cisoplatform.)

What is WannaCry?

WannaCry is the latest ransomware, effecting PC’s and servers like wildfire. The functional architecture of the ransomware is shown below: 

If you execute the ransomware, you can see the following files:

Dissecting Its Package - Part 1

  • After execution file footprint :
    • WannaCry.exe
    • Tasksche.exe ( with /i switch )
  • Anti-Detection/Stealthy ness:
    • OpenServiceA@ADVAPI32.DLL at PID 00003256
    • OpenServiceA@ADVAPI32.DLL at PID 00003256

 

 

 

Some interesting ransomware code snippet

Dissecting Its Package - Part 2

Features of WannaCry:

  • Contains a remote desktop related string.
  • Reads terminal service related keys (RDP related).
  • Uses network protocols on unusual ports.
  • Deletes volume snapshots.
  • Disables startup repair.
  • Modifies auto-execute functionality by setting/creating values in the registry.
  • Spawns a lot of processes.
  • Tries to suppress failures during boot (often used to hide system changes).
  • Reads system information using Windows Management Instrumentation Command line (WMIC).
  • Reads the active computer name.
  • Reads the cryptographic machine GUID.

Dissecting Its Package - Part 3

Some of the interesting Processes interacts / executed / created by WannaCry:

  • attrib.exe
  • taskdl.exe
  • cmd.exe with command line "cmd /c 44651494617562.bat
  • attrib.exe with command line "attrib +h +s %SAMPLEDIR%\$RECYCLE"
  • cscript.exe with commandline "//nologo m.vbs"
  • @WanaDecryptor@.exe with commandline "co"
  • cmd.exe with commandline "/c start /b @WanaDecryptor@.exe vs"
  • taskhsvc.exe with commandline "TaskData\Tor\taskhsvc.exe"
  • taskse.exe with commandline "C:\@WanaDecryptor@.exe"
  • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.testing

(Kill switch for WannaCry v2.0)

Dissecting Its Package - Part 4

Some of the interesting strings found inside the source code & Memdump of WannaCry:

  • !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
  • https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
  • \\172.16.99.5\IPC$ ( Malicious share will be opened )
  • \\192.168.56.20\IPC$ ( Malicious share will be opened )
  • C:\%s\qeriuwjhrf
  • C:\WannaCrya.exe
  • C@GW?M[3
  • cmd.exe /c "%s"
  • CryptImportKey
  • DisableLocalOverride
  • DisablePassport
  • diskpart.exe
  • GetAdaptersInfo
  • GetCommandLineA
  • GetComputerNameW
  • GetCPInfo
  • GetCurrentProcess
  • GetCurrentProcessId
  • GetExitCodeProcess
  • GetLastError
  • GetNativeSystemInfo

 

Views: 485

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

FireCompass

Forum

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by SACHIN BP SHETTY Apr 24. 1 Reply

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

[Please Suggest] Corona Virus: Security advisory for work from home

Started by CISO Platform. Last reply by Bhushan Deo Mar 20. 12 Replies

(question posted on behalf of a CISO member)Due to CORONA virus most of the organizations are allowing their employees to work form home.Has any one issued security advisory for work from home ?Continue

Tags: #COVID19

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service