WannCry : Dissecting Its Packages & A Tool (Anti~WannaCry)

Author - Abdur Rafi, CISO, ABP Pvt. Ltd., India

A series of broad attack began that spread the latest version of the WanaCryptor ransomware. This attack, also referred to as WannaCrypt or WannaCry, reportedly impacted systems of public and private organizations worldwide.  The attack caused Britain's NHS to cancel surgeries, a wide array of Russian and Chinese private and public institutions to be crippled most of the day, and the rest of the world to recoil in shock.

Here's a solution : Anti-WannaCry, developed by ABP IT Security Team, in Kolkata DataCentre, India, launched on 15th May 2017.

Anti-WannaCry, is a complete framework, which not only find and remove any traces of WannaCry from the PC, but also actively stops any future infection, thus making the system immune from future Wannacry attacks.

It’s a self-contained client based solution. Its OS independent, but .NET framework version 4.5 is required.  

It works based on behavioral analysis and not signature dependent. It doesn’t require any internet connectivity or updates to work properly. It is also able to work in isolated systems where no network or internet is provided.

The structure of its 360 degree protection system will cover all these:

It monitors and protects all these vectors for WannaCry related infections, and actively stops its execution and growth. (See more on : https://youtu.be/sJzeb30SwBQ)

Please download a copy yourself to evaluate from here.

(Link was provided by author, please be careful while navigating outside cisoplatform.)

What is WannaCry?

WannaCry is the latest ransomware, effecting PC’s and servers like wildfire. The functional architecture of the ransomware is shown below: 

If you execute the ransomware, you can see the following files:

Dissecting Its Package - Part 1

  • After execution file footprint :
    • WannaCry.exe
    • Tasksche.exe ( with /i switch )
  • Anti-Detection/Stealthy ness:
    • OpenServiceA@ADVAPI32.DLL at PID 00003256
    • OpenServiceA@ADVAPI32.DLL at PID 00003256

 

 

 

Some interesting ransomware code snippet

Dissecting Its Package - Part 2

Features of WannaCry:

  • Contains a remote desktop related string.
  • Reads terminal service related keys (RDP related).
  • Uses network protocols on unusual ports.
  • Deletes volume snapshots.
  • Disables startup repair.
  • Modifies auto-execute functionality by setting/creating values in the registry.
  • Spawns a lot of processes.
  • Tries to suppress failures during boot (often used to hide system changes).
  • Reads system information using Windows Management Instrumentation Command line (WMIC).
  • Reads the active computer name.
  • Reads the cryptographic machine GUID.

Dissecting Its Package - Part 3

Some of the interesting Processes interacts / executed / created by WannaCry:

  • attrib.exe
  • taskdl.exe
  • cmd.exe with command line "cmd /c 44651494617562.bat
  • attrib.exe with command line "attrib +h +s %SAMPLEDIR%\$RECYCLE"
  • cscript.exe with commandline "//nologo m.vbs"
  • @WanaDecryptor@.exe with commandline "co"
  • cmd.exe with commandline "/c start /b @WanaDecryptor@.exe vs"
  • taskhsvc.exe with commandline "TaskData\Tor\taskhsvc.exe"
  • taskse.exe with commandline "C:\@WanaDecryptor@.exe"
  • http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.testing

(Kill switch for WannaCry v2.0)

Dissecting Its Package - Part 4

Some of the interesting strings found inside the source code & Memdump of WannaCry:

  • !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
  • https://dist.torproject.org/torbrowser/6.5.1/tor-win32-0.2.9.10.zip
  • \\172.16.99.5\IPC$ ( Malicious share will be opened )
  • \\192.168.56.20\IPC$ ( Malicious share will be opened )
  • C:\%s\qeriuwjhrf
  • C:\WannaCrya.exe
  • C@GW?M[3
  • cmd.exe /c "%s"
  • CryptImportKey
  • DisableLocalOverride
  • DisablePassport
  • diskpart.exe
  • GetAdaptersInfo
  • GetCommandLineA
  • GetComputerNameW
  • GetCPInfo
  • GetCurrentProcess
  • GetCurrentProcessId
  • GetExitCodeProcess
  • GetLastError
  • GetNativeSystemInfo

 

Views: 523

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

Forum

Security Trends and Emerging Technologies That A CISO Should Adopt In 2021

Started by Priyanka Aash Mar 3. 0 Replies

What are the challenges you as a CISO have been facing since the last year and share some security trends that are catching up? Help the community by sharing your knowledge and personal views on this subject. Or if you have any specific questions…Continue

CISO as an enabler

Started by Maheshkumar Vagadiya Jul 30, 2020. 0 Replies

Share the instances where you were able to convince the Executive management /board that CISO function is enabler rather then a hindrance.Thanks youMaheshContinue

Has Anyone Evaluated Digital Signature (like Docusign)?

Started by CISO Platform. Last reply by Yogesh Nov 19, 2020. 2 Replies

(question posted on behalf of a CISO member)Has anyone evaluated digital signature (like Docusign), any specific risk/ security areas to be looked into while finalising a vendor? Any and all inputs will be very much appreciated.Continue

What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?

Started by CISO Platform. Last reply by ANAND SHRIMALI May 20, 2020. 4 Replies

(question posted on behalf of a CISO member)What are your strategies for using Zoom in your organization after recent vulnerabilities in news about Zoom platform?Related Question: …Continue

Follow us

Contact Us

Email: contact@cisoplatform.com

Mobile: +91 99002 62585

InfoSec Media Private Limited,First Floor,# 48,Dr DV Gundappa Road, Basavanagudi,Bangalore,Karnataka - 560004

© 2021   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service

/* */