WanaCrypt0r勒索蠕虫完全分析报告(英文版)

WanaCrypt0r Ransomware Analysis Report

0x1 Introduction

Earlier, 360 Internet Security Center detected a new variant of ransomware that targets both enterprises and individuals in multiple countries and regions. 360 released timely emrgency warning upon the detection to remind the nation of the upcoming risks. Generally, ransomeware is a kind of malicious program with clear extorton intention. It encrypts the victim’s files by using asymmetric cryptographic algorithm, making them inaccessible, and demands a ransom payment to decrypt them. Unless the ramsom is paid, the files cannot be restored. This new variant is code-named as WanaCrypt0r  by several security companies. What makes it so deadly is thatit made use of the hacking tool “EternalBLue” which was stolen  from the NSA arsenal. This also explains why WanaCrypt0r is able to spread itsfelf to quickly all over the globe and caused great loss in a very short time. 360 Helios Team is the APT(Advanced Persistent Attack) research and analysis team under 360 Internet Security Center, mainly dedicated in APT attack investigation and threat incident response. They have done thurough analysis on the ransomeware and published it to the masses for better understanding and defense.

0x2 Sample

MD5: DB349B97C37D22F5EA1D1841E3C89EB4
File size: 3,723,264
Affected systems: Except for Windows 10, all Windows systems without the MS17-010 patch are potential targets with high risks.
Function: Release encryption program and spread it by exploiting the vulnerability MS17-010

0x03 Attack Procedures

This variant exploited the Microsoft vulnerability MS17-010 to spread itself. Once one device is compromised, the ransomwarewill attack nearby devices immediately in the same network. Then the whole network will be compromised soon and victims increases geometrically in a short period. The attack procedures are as below:

0x04 Launch

  1. When the ransomwarelauches, it will calls a specific URL for connection:http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
    a) If conneted, the ransomware quit automatically
    b) If the connection fails, the infection will continue
  2. Then the ransomaware will check the number of parameters. If there are less than two, the installation starts; when the number is more than two, a service will be created.
    a) Installantion
    i. Create service with the nameof “mssecsvc2.0”
    ● The parameter is the current path “–m security”
    ii. Release and launch exe
    ● Move the currentC:\WINDOWS\tasksche.exeto C:\WINDOWS\qeriuwjhrf
    ● Release 1831resource (MD5: 84C82835A5D21BBCF75A61706D8AB549) into C:\WINDOWS\tasksche.exe, and then start with the para/i
    b) Create a Service
    i. The infection is executed in Service Function. After 24 hours of the execution, the mssecsvc2.0 will quit automatically.
    ii. Infection
    ● Initialize the network and cryptography library, as well as the payload dll.
    a) The payload includes two versions: x86 and x64

b) The function is used to release the resource to C:\windows\mssecsvc.exe for execution.
● Start the thread and send SMB exploit codes to a random IP in the local area network repeatedly.

0x05 Exploit

Through analysis of the SMB package, we found out that the exploit code is almost the same as it in here: https://github.com/rapid7/metasploit-framework, which is the toolkit of EternalBlue.

The SMB data package of WanCrypt0r is:

The SMB data package used in Eternalblue toolkit:

The content of the file in the URL https://github.com/RiskSense-Ops/MS17-010/tree/master/exploits/eternalblue/orig_shellcode
is spotted in DB349B97C37D22F5EA1D1841E3C89EB4.

orig_shellcode:

DB349B97C37D22F5EA1D1841E3C89EB4:

0x06 Released Files

When launched successfully, the worm will release filesin the following procedure.


The released files and their functions are listed as follows:

0x07 Key Encryption Process

The worm will release an encryption module into memory and load the DLL in the memory directly. The DLL’s then exports function “TaskStart” which is to be used to activate the whole encryption process. The DLL dynamically get access to the file system and API functions that related to encryption in order to avoid static detection.

The whole encryption process is completed by using both RSA and AES. While RSA encryption process uses a Microsoft CryptAPI, the statically compiled AES code is linked to the DLL. The encryption process is shown in the picture below:


List of the keys used:


The suffix list of the encrypted files:


“.docx”,”.xls”,”.xlsx”,”.ppt”,”.pptx”,”.pst”,”.ost”,”.msg”,”.eml”,”.vsd”,”.vsdx”,”.txt”,”.csv”,”.rtf”,”.123″,”.wks”,”.wk1″,”.pdf”,”.dwg”,”.onetoc2″,”.snt””.jpeg”,”.jpg””.docb”,”.docm”,”.dot”,”.dotm”,”.dotx”,”.xlsm”,”.xlsb”,”.xlw”,”.xlt”,”.xlm”,”.xlc”,”.xltx”,”.xltm”,”.pptm”,”.pot”,”.pps”,”.ppsm”,”.ppsx”,”.ppam”,”.potx”,”.potm”,”.edb”,”.hwp”,”.602″,”.sxi”,”.sti”,”.sldx”,”.sldm”,”.sldm”,”.vdi”,”.vmdk”,”.vmx”,”.gpg”,”.aes”,”.ARC”,”.PAQ”,”.bz2″,”.tbk”,”.bak”,”.tar”,”.tgz”,”.gz”,”.7z”,”.rar”,”.zip”,”.backup”,”.iso”,”.vcd”,”.bmp”,”.png”,”.gif”,”.raw”,”.cgm”,”.tif”,”.tiff”,”.nef”,”.psd”,”.ai”,”.svg”,”.djvu”,”.m4u”,”.m3u”,”.mid”,”.wma”,”.flv”,”.3g2″,”.mkv”,”.3gp”,”.mp4″,”.mov”,”.avi”,”.asf”,”.mpeg”,”.vob”,”.mpg”,”.wmv”,”.fla”,”.swf”,”.wav”,”.mp3″,”.sh”,”.class”,”.jar”,”.java”,”.rb”,”.asp”,”.php”,”.jsp”,”.brd”,”.sch”,”.dch”,”.dip”,”.pl”,”.vb”,”.vbs”,”.ps1″,”.bat”,”.cmd”,”.js”,”.asm”,”.h”,”.pas”,”.cpp”,”.c”,”.cs”,”.suo”,”.sln”,”.ldf”,”.mdf”,”.ibd”,”.myi”,”.myd”,”.frm”,”.odb”,”.dbf”,”.db”,”.mdb”,”.accdb”,”.sql”,”.sqlitedb”,”.sqlite3″,”.asc”,”.lay6″,”.lay”,”.mml”,”.sxm”,”.otg”,”.odg”,”.uop”,”.std”,”.sxd”,”.otp”,”.odp”,”.wb2″,”.slk”,”.dif”,”.stc”,”.sxc”,”.ots”,”.ods”,”.3dm”,”.max”,”.3ds”,”.uot”,”.stw”,”.sxw”,”.ott”,”.odt”,”.pem”,”.p12″,”.csr”,”.crt”,”.key”,”.pfx”,”.der”


Note that during the encryption process, the ransomware will randomly select some files to encrypt using the built-in RSA public key in order to offer a couple of files that victims can decrypt for free.

he file path of the free files could be found in the file ‘f.wnry’.

0x08 Decryption Process

Firstly, the decryption routine will release taskhsvc.exe to query payment information from the server. If the ransom is paid, server will send file ‘eky’ to the attacker. The attacker uses it to decrypt and gain the file ‘dky’ which is the very decrypted Key.
In contrast to encryption process, decryption routine will gain the Key from file ‘dky’ downloaded from the server.

If  there is no filename ‘dky’, the routine will use a built-in Key, which is used to decrypt some  free files.

Then the routine will  read encrypted data from the file header, using the function ‘CryptDecrypt’ of the imported Key to decrypt in order to gain the Key of AES for re-decryption. And finally it will get the original documents.

Conclusion

Ransomware WanaCrypt0r is the first in its kind to use remote high level vulnerability to realize self-replication and spread. The impact of this Worm reminds us of another two infamous Worms – Worm.Blaster (or Lovesan) and Sasser. Compared with those two, WanaCrypt0r’s programming normative and the proceduresticks more to the standard of cryptography, so it’s incredibly difficult to decrypt the files without the encryption key (however, since the files are not deleted completely, some of the files are still likely to be restored by using recovery tools). In the meanwhile, Microsoft has released patch emergently for Windows XP and 2003 systems for which the security updates is stopped under normal circumstances. Please download the path for MS17-010 to protect your computer away from WanaCrypt0r.

About

360 Helios Team is the APT(Advanced Persistent Attack) research and analysis team in Qihoo 360.
The team is dedicated in APT attack investigation, threat incident response and underground economy industrial chain studies.
Since the establishment in December, 2014, the team has successflly integrated 360’s big data base and built up a quick reversing and corellation procudure.
So far, more than 30 APT and underground economy groups have been discovered and revealed.
360 Helios also provides threat intelligence assessment and response solutions for enterprises.

发表评论

电子邮件地址不会被公开。 必填项已用*标注