- Network worm e889544aff85ffaf8b0d0da705105dee7c97fe26
- Encoder dropper: 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
- Encoder: 7d36a6aa8cb6b504ee9213c200c831eb8d4ef26b
- Author’s decoder: 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
A multi-component network worm known as WannaCry. It is written in C/C++, assembled in MS Visual Studio, not packed. Contains two dynamic libraries in its own body. Once launched, it tries to send GET request to a remote server http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com without caching the results. If the worm receives a response from the server, it shuts down.
It is launched as the mssecsvc2.0 Windows system service (visible name—”Microsoft Security Center (2.0) Service”); The worm can receive arguments of the command line. If at least one argument is indicated, the worm tries to open the mssecsvc2.0 service and configure it for the restart in case of an error. After launch, it tries to rename file C:\WINDOWS\tasksche.exe to C:\WINDOWS\qeriuwjhrf, saves from the resources of the Trojan encoder to file C:\WINDOWS\tasksche.exe and runs it with a parameter /i. Within 24 hours after its launch as a system service, the worm automatically shuts itself down.
To spread itself, the worm initializes Windows Sockets, CryptoAPI and launches several threads. One of them lists all network interfaces on the infected PC and checks available servers in the local network; the rest of them generate random IP addresses. The worm tries to connect to these remote servers using port 445. If this port is available, a separate thread is used for the infection of network servers using a vulnerability in the SMB protocol.
A significant part of the dropper is a password protected ZIP archive, which stores the following files:
- b.wnry—file with a wallpaper for the Windows Desktop;
- c.wnry—file with the list of onion servers and an address of the BTC wallet;
- t.wnry—encrypted file with the Trojan encoder. Decoding key is stored in the file itself;
- s.wnry—an archive with a software for operation with the Tor network.
After being launched, it tries to install itself to the following folders:
- %SYSDRIVE%\ProgramData (if this folder exists)
During the installation, the worm creates the corresponding folder, puts inside an enclosed folder with a random name, then creates there its own copy named tasksche.exe.
Attempts to launch its copy as a randomly named system service. If the attempt is unsuccessful, it creates a system service, registers a launch of its own copy inside it using a command interpreter (“cmd.exe /c path”) and runs this service. In case of failure, it runs as an ordinary application.
When the dropper is launched as an application, it tries to write path and name of its current directory to the following system registry branches: HKLM\Software\WanaCrypt0r or HKCU\Software\WanaCrypt0r. Unpacks the archive contents to its current folder, saves to the file c.wncry one of three possible addresses of the BTC wallets. Opens access to the work directory for all system users and installs the hidden argument for it. Then it retrieves the Trojan encoder from the t.wnry file, decrypts it and executes it.
A ransomware Trojan
The encoder is stored in a separate dynamic library. It encrypts files using the AES-128 algorithm. Using the CryptGenKey function, the encoder creates the RSA pair, a public part is saved in a file 00000000.pky, a private part is encrypted with the author’s public key and saved in a file 00000000.eky. The key is generated for each encrypted file using the CryptGenRandom function.
The encrypted file stores:
- Marker (8 bytes): WANACRY!;
- Length of the encrypted key (4 bytes);
- Encrypted key (256 bytes);
- Information on the encryption type (4 bytes);
- Initial file size (8 bytes);
- Encrypted data.
During the course of encryption, a list of files, which could be decrypted in test mode, is created. It is saved to f.wnry. The session AES key for decryption of test files is encrypted with the second RSA key, the private part of which is stored in the Trojan’s body.
The encoder contains the author’s decoder, which performs the following functions:
- Installation of Desktop wallpaper from the file b.wnry;
- Removal of shadow copies;
- Deactivation of the system restoration function;
- Unpacking of software for operation with Tor from the s.wnry file or loading if from the website, address of which is stored in a file in c.wnry.
The decoder accepts the following command line parameters (without arguments):
- fi—retrieves software for the operation with Tor, establishes connection with port 80 of onion servers, indicated in the configuration. Receives from them an address of the BTC wallet and saves it in configuration;
- co—reads from a RES file data on the start of the encryption and, supposedly, sends them to the onion server;
- vs—deletes shadow copies and disables system restoration.
To exchange data with the onion servers, Trojan.Encoder.11432 uses its own protocol. Unfortunately, at present it is impossible to decrypt files encoded by the Trojan.
To share data with remote servers, the Trojan uses its own protocol. It is possible to point out three types of network activity:
- Sending of messages to the Trojan’s authors;
- BTC wallet name request;
- Check of the ransom payment.
Before session, the Trojan checks whether there is an established connection and chooses one of the addresses of an onion server saved in the configuration. To check the operating capability of the server, the Trojan connects to it through the 80th port via the TOR network and installs a session key; after that useful information is sent.
Transmitted data packages are encrypted.
When the Trojan attempts sending a text to the Trojan's authors, and it is shorter than 10 symbols, the malicious program returns an error “Too short message!”. Messages longer than 1000 symbols are shortened to 1000 symbols. The decoder doesn’t allow sending messages too often (these restrictions are implemented in the decoder itself).
When clicking the button of the payment check, the decoder attempts reading a file that contains a public key and a file with the private key. If the reading was successful, it checks their compliance via encryption and decryption of a test buffer. If there is no file with the private key or if the file doesn’t correspond to the file with the public key, the Trojan refers to its servers.
It sends data to the server and then waits for the decrypted EKY file (private part of the RSA key).