Volatility & WannaCry
In today’s blog we are going to do memory analysis of WannaCry Ransomware using Volatility , an open source memory forensics framework .
Bit about Wanna Cry
The WannaCry ransomware attack was a worldwide cyber attack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.
I’ll be providing the links to the memory dump and files we will be using here. Let’s do some fast static analysis on the WannaCry Binary and try to find basic information and the kill switch.
The executable first tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.If the connection succeeds, the binary exits. Otherwise, if it fails to connect to the domain, it’ll proceed with the infection. This is called a kill-switch which was placed by the author to control the infection. Later researchers registered these domains and activated the kill switch and posting a page on it.
As we can see from the analysis WannaCry has the capacity to drop binary on run and mutex creations strings. We can see icacls used here to to grant the group “Everyone” full access to the root of the drive and some weird strings like WNcry@2ol7, .?AVexception@@ etc .
Memory Analysis Using Volatility
https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal
Let’s use volatility to reconstruct the timeline of activities done on infected system and confirm our findings.
As we can see processes with PID 1940 and 740 looks unknown and tasksche.exe was found in strings of the binary during static analysis . Let’s run psscan which will list all of the process running with their time of creation.
As we can see tasksche.exe has many sub processes one of them being taskse.exe , taskdl.exe. After sorting these processes according to time of creation we can get a better idea how these processes were started.
The process taksche.exe was created first which spawned the others processes. We can run the dlllist command to check the loaded DLL files associated with a process.
From the above results it’s clear that these are malicious in nature and are using Windows APIs like Secur32.dll to encrypt Ws2_32 to create socket,high level network communications(WININET.DLL), querying registry(ADVAPI32.DLL), encryption (SECURE32.DLL) and interacting with browsers (URLMON.DLL)like internet explorer etc.
It is used to make sure once infected computer doesn’t get infected again. Mutex indicates that a sample of WannaCry is already active on the system.
The tasksche.exe gets the the computer name and obfuscates it (from the above pictures). After this it copies itself to “C:\ProgramData\<ObfuscatedName>\tasksche.exe”. The tasksche.exe is then tried to run as a service.If the system has a global mutex named, “MsWinZonesCacheCounterMutex”, then tasksche.exe exits. The presence of this mutex indicates that a sample of WannaCry is already active on the system.
I will leave the analysis till here and will look at the next part in the upcoming blogs. The links to memory files and tools used are given below.
https://github.com/volatilityfoundation/volatility/
Thanks ❤ , happy learning if you find any info which is to be corrected feel free to drop me a DM.
