WannaCry 분석 보고서

Abstract

워너크라이는 난독화가 전혀 되어있지 않았어서 분석하기에 비교적 편하다는 장점이 있다. 일단 실행되면 하드 코딩되어있는 URL

Date

2019-02-23 18:27:00 +0900

Hash

HashCalc Wannacry

MD5:    84c82835a5d21bbcf75a61706d8ab549  
SHA1:   5ff465afaabcbf0150d1a3ab2c2e74f3a4426467  
SHA256: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa  

* Wannacry.EXE (ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa)
	* [Drop] XIA2058.zip (5873c1b5b246c80ab88172d3294140a83d711cd64520a0c7dd7837f028146b80)
		* msg/m_bulgarian.wnry (40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd)
		* msg/m_chinese (simplified).wnry (845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a)
		* msg/m_chinese (traditional).wnry (5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a)
		* msg/m_croatian.wnry (3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171)
		* msg/m_czech.wnry (5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150)
		* msg/m_danish.wnry (a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6)
		* msg/m_dutch.wnry (2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c)
		* msg/m_english.wnry (26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5)
		* msg/m_filipino.wnry (d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324)
		* msg/m_finnish.wnry (1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e)
		* msg/m_french.wnry (9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc)
		* msg/m_german.wnry (2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61)
		* msg/m_greek.wnry (e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9)
		* msg/m_indonesian.wnry (23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4)
		* msg/m_italian.wnry (49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07)
		* msg/m_japanese.wnry (7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e)
		* msg/m_korean.wnry (552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0)
		* msg/m_latvian.wnry (a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536)
		* msg/m_norwegian.wnry (cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a)
		* msg/m_polish.wnry (519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e)
		* msg/m_portuguese.wnry (bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66)
		* msg/m_romanian.wnry (70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1)
		* msg/m_russian.wnry (02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078)
		* msg/m_slovak.wnry (e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729)
		* msg/m_spanish.wnry (72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1)
		* msg/m_swedish.wnry (146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4)
		* msg/m_turkish.wnry (6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415)
		* msg/m_vietnamese.wnry (1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8)
		* b.wnry
		* c.wnry
		* r.wnry
		* s.wnry
		* t.wnry
		* taskdl.exe (4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79)
		* taskse.exe
		* u.wnry

Time Table

Tools

HashCalc 2.0.2.0, PEiD v0.95, PEview, Resource Hacker, IDA Pro, Dependency Walker

Basic Static Analysis

PEiD PEview PEiD로 확인해봤는데 패킹되지 않았다. 그래도 혹시 모르니 PEview도 확인해봤다. .text, .rdata, .data, .rsrc 영역이 존재했고, 특히 **리소스 영역(.rsrc)**이 눈에 띄었다.

Resource Hacker 주로 압축 파일에서나 보이는 PK 헤더가 확인되었다. 해당 리소스를 추출해 보았다.

HashCalc rsrc XIA2058.zip

MD5:    b576ada3366908875e5ce4cb3da6153a  
SHA1:   30f8820cf93a627c66195f0d77d6a409024c6e52  
SHA256: 5873c1b5b246c80ab88172d3294140a83d711cd64520a0c7dd7837f028146b80

압축을 풀려면 비밀번호를 입력해야 하는데 IDA Pro로 main 함수에서 어렵지 않게 비밀번호를 찾을 수 있었다.

passwd 비밀번호: WNcry@2ol7
압축을 풀어보면 28개 언어를 겨냥한 msg 파일들이 있었고 m_language.wnry 와 같은 형태를 띄고 있는 것이 특징이다.

Strings

176개의 확장자, 소켓라이브러리(WS2_32.dll)

WanaCrypt0r SHELL32.dll OLEAUT32.dll WS2_32.dll RSA2 CryptEncrypt %s\Intel %s\ProgramData cmd.exe /c “%s” 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Global\MsWinZonesCacheCounterMutexA tasksche.exe TaskStart icacls . /grant Everyone:F /T /C /Q GetNativeSystemInfo diskpart.exe PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING .der .pfx .key .crt .csr .p12 .pem .odt .ott .sxw .stw .uot .3ds .max .3dm .ods .ots .sxc .stc .dif .slk .wb2 .odp .otp .sxd .std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .sql .accdb .mdb .db .dbf .odb .frm .myd .myi .ibd .mdf .ldf .sln .suo .cs .cpp .pas .asm .js .cmd .bat .ps1 .vbs .vb .pl .dip .dch .sch .brd .jsp .php .asp .rb .java .jar .class .sh .mp3 .wav .swf .fla .wmv .mpg .vob .mpeg .asf .avi .mov .mp4 .3gp .mkv .3g2 .flv .wma .mid .m3u .m4u .djvu .svg .ai .psd .nef .tiff .tif .cgm .raw .gif .png .bmp .jpg .jpeg .vcd .iso .backup .zip .rar .7z .gz .tgz .tar .bak .tbk .bz2 .PAQ .ARC .aes .gpg .vmx .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .snt .onetoc2 .dwg .pdf .wk1 .wks .123 .rtf .csv .txt .vsdx .vsd .edb .eml .msg .ost .pst .potm .potx .ppam .ppsx .ppsm .pps .pot .pptm .pptx .ppt .xltm .xltx .xlc .xlm .xlt .xlw .xlsb .xlsm .xlsx .xls .dotx .dotm .dot .docm .docb .docx .doc 60284:WANACRY!

Import Table

Dependency Walker KERNEL32.DLL CreateFileA, ReadFile, WriteFile, CopyFileA 파일 생성, 읽기, 쓰기, 복사 CreateProcessA 프로세스 생성 FindResourceA, LoadResource, LockResource, SizeofResource 리소스 핸들링 GetComputerNameW 컴퓨터 이름 검사 LoadLibraryA, GetProcAddress 라이브러리 핸들링 OpenMutexA 뮤텍스 열기 USER32.DLL ADVAPI32.DLL OpenServiceA, CreateServiceA, OpenSCManagerA, StartServiceA 서비스 열기, 생성 RegCreateKeyW, RegSetValueExA 레지스터 키/값 생성 MSVCRT.DLL

Dynamic Analysis

파일이 .WNCY로 변경되고 파일 생성 시간이 각각 다르게 2010년 중 랜덤으로 변경된다.

PID 1320 2019-02-23 17:05:03.350 C:\Users\j3rrry\Desktop\WannaCry.EXE
	PID 2832 2019-02-23 17:05:03.662 C:\Windows\SysWOW64\attrib.exe (CommandLine: attrib +h .)
	PID 552  2019-02-23 17:05:03.678 C:\Windows\SysWOW64\icacls.exe (CommandLine: icacls . /grant Everyone:F /T /C /Q)
	PID 3032 2019-02-23 17:05:05.082 C:\Users\j3rrry\Desktop\taskdl.exe
	PID 2684 2019-02-23 17:05:05.331 C:\Windows\SysWOW64\cmd.exe (CommandLine: cmd /c 251331550941505.bat)
		PID 1124 2019-02-23 17:05:05.425 C:\Windows\SysWOW64\cscript.exe (CommandLine: cscript.exe  //nologo m.vbs)
	PID 1444 2019-02-23 17:05:35.205 C:\Users\j3rrry\Desktop\taskdl.exe
	PID 2912 2019-02-23 17:05:40.338 C:\Users\j3rrry\Desktop\@WanaDecryptor@.exe (CommandLine: @WanaDecryptor@.exe co)
		2019-02-23 17:05:41.664 C:\Users\j3rrry\Desktop\TaskData\Tor\libeay32.dll
		2019-02-23 17:05:41.679 C:\Users\j3rrry\Desktop\TaskData\Tor\libevent-2-0-5.dll
		PID 2684 2019-02-23 17:05:43.021 C:\Users\j3rrry\Desktop\TaskData\Tor\taskhsvc.exe
			2019-02-23 17:05:45.908 Network connection detected port:49177<->49178
			192.168.10.128:49179 -> 124.111.4.46.in-addr.arpa(46.4.111.124):9001
			49181 -> 38.244.47.212.in-addr.arpa(212.47.244.38):443
			2019-02-23 17:05:55.788 49183 -> 219.204.90.93.in-addr.arpa(93.90.204.219):9001
			2019-02-23 17:05:55.782 49182 -> 40.78.39.5.in-addr.arpa(5.39.78.40):443
			2019-02-23 17:05:55.746 49184 -> 2.221.154.95.in-addr.arpa(95.154.221.2):9001
			2019-02-23 17:06:18.120 127.0.0.1:9050 -> 127.0.0.1:49185
			2019-02-23 17:06:18.136 127.0.0.1:9050 <-> 127.0.0.1:49186

	PID 2300 2019-02-23 17:05:40.353 C:\Windows\SysWOW64\cmd.exe (CommandLine: cmd.exe /c start /b @WanaDecryptor@.exe vs)
		PID 2496 2019-02-23 17:05:40.463 C:\Users\j3rrry\Desktop\@WanaDecryptor@.exe (CommandLine: @WanaDecryptor@.exe  vs)
			PID 2232 2019-02-23 17:05:50.618 C:\Windows\SysWOW64\cmd.exe (CommandLine: cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet)
				PID 2368 2019-02-23 17:05:50.759 C:\Windows\SysWOW64\vssadmin.exe (CommandLine: vssadmin  delete shadows /all /quiet)
				PID 2840 2019-02-23 17:05:51.008 C:\Windows\SysWOW64\wbem\WMIC.exe (CommandLine: wmic  shadowcopy delete)
	PID 1408 2019-02-23 17:06:05.235 C:\Users\j3rrry\Desktop\taskse.exe (Description: waitfor - wait/send a signal over a network) (CommandLine: taskse.exe C:\Users\j3rrry\Desktop\@WanaDecryptor@.exe)
	PID 1124 2019-02-23 17:06:05.251 C:\Users\j3rrry\Desktop\@WanaDecryptor@.exe
	PID 2732 2019-02-23 17:06:05.251 C:\Windows\SysWOW64\cmd.exe (CommandLine: cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ymxvnhpzjcdshli021" /t REG_SZ /d "\"C:\Users\j3rrry\Desktop\tasksche.exe\"" /f)
		PID 2156 2019-02-23 17:06:05.360 C:\Windows\SysWOW64\reg.exe (CommandLine: reg  add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ymxvnhpzjcdshli021" /t REG_SZ /d "\"C:\Users\j3rrry\Desktop\tasksche.exe\"" /f)
	PID 2496 2019-02-23 17:06:05.298 C:\Users\j3rrry\Desktop\taskdl.exe 
	PID 2124 2019-02-23 17:06:35.375 C:\Users\j3rrry\Desktop\taskdl.exe
	PID 2732 2019-02-23 17:06:35.453 C:\Users\j3rrry\Desktop\@WanaDecryptor@.exe
	PID 2556 2019-02-23 17:06:35.453 C:\Users\j3rrry\Desktop\taskse.exe (CommandLine: taskse.exe C:\Users\j3rrry\Desktop\@WanaDecryptor@.exe)
	PID 3060 2019-02-23 17:07:05.467 C:\Users\j3rrry\Desktop\@WanaDecryptor@.exe
	PID 2372 2019-02-23 17:07:05.467

File creation time changed: UtcTime: 2019-02-23 17:05:05.363 TargetFilename: C:\Users\j3rrry\Desktop\a.txt.WNCRYT CreationUtcTime: 2019-02-23 16:52:51.100 PreviousCreationUtcTime: 2019-02-23 17:05:05.347

C:@Please_Read_Me@.txt 7a2726bb6e6a79fb1d092b7f2b688af0 b3effadce8b76aee8cd6ce2eccbb8701797468a2 840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

C:\Users\j3rrry\Desktop\251331550941505.bat.WNCRYT 2019-02-23 17:05:05.597 C:\iDefense\MAP\delphi_filter.txt.WNCRYT

Last updated on 2019-02-27