WannaCry Ransomware Malware Analysis

The WannaCry sample used for this analysis was obtained from the following repository, specifically prepared for educational and research purposes.

Sample Source:
https://github.com/HuskyHacks/PMAT-labs/tree/main/labs/4-1.Bossfight-wannacry.exe

---

Analysis Approach

To understand the behavior of the malware, both static and dynamic analysis techniques were used.

Static Analysis

Static analysis involves examining the malware without executing it. This helps identify:

• Embedded strings
• Suspicious imports
• Hardcoded domains
• Encryption routines
• Indicators of compromise

This stage provides an initial understanding of what the malware is capable of doing.

Dynamic Analysis

Dynamic analysis involves executing the malware inside a controlled and isolated environment (such as a virtual machine or sandbox). This allows us to observe:

• File system changes
• Network activity
• Process creation
• Persistence mechanisms

This step confirms whether the behaviors seen in static analysis actually occur during execution.

---

Executive Summary

SHA256:
A6AA84358130078F9455773AF1E9EF2C7710934F72DF8514C9A62ABEB83D2E81

The analyzed sample behaves as a ransomware dropper that executes multiple payloads after initial infection. Once executed, it encrypts files on the system and attempts to spread laterally across the network.

Symptoms of Infection

• Encrypted files with the .wncry extension
• Desktop wallpaper replaced with a ransom note

• Presence of:

  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe

• Suspicious executable appearing in %APPDATA%

---

Indicators of Infection and System Modifications

After successful execution:

• Files are encrypted and renamed with the .wncry extension.
• Desktop wallpaper is replaced with a ransom message.

• Two files appear on the desktop:

  • @Please_Read_Me@.txt – contains ransom instructions.
  • @WanaDecryptor@.exe – ransomware interface for payment.

These are clear signs of a successful ransomware detonation.

Static Analysis – String Examination

Static string analysis was performed using FLOSS.

Execution Indicator

One of the common PE indicators:

This program cannot be run in DOS mode.

---

Kill Switch Domain

A hardcoded domain was discovered:

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

This domain acts as a kill switch, which determines whether the malware continues execution.

---

Cryptographic Functions

Strings showed usage of Windows CryptoAPI:

Microsoft Enhanced RSA and AES Cryptographic Provider
CryptGenKey
CryptDecrypt
CryptEncrypt
CryptDestroyKey
CryptImportKey
CryptAcquireContextA

These indicate that the malware performs file encryption using built-in Windows cryptographic functions.

---

Multilingual Ransom Notes

The malware contains multiple language files:

msg/m_italian.wnry
msg/m_japanese.wnry
msg/m_korean.wnry
msg/m_latvian.wnry

This suggests the malware was intended for global distribution.

---

Other Notable Strings

tasksche.exe
icacls . /grant Everyone:F /T /C /Q
attrib +h .
WNcry@2ol7
\\192.168.56.20\IPC$

These strings indicate:

• File permission changes
• Hidden directory creation
• Network propagation behavior

---

Import Analysis Using PEStudio

PEStudio was used to examine imported Win32 APIs.

This revealed functionality related to:

• Encryption
• File operations
• Network communication
• Command execution

This confirms that the malware is capable of:

• Encrypting files
• Spreading across the network
• Establishing persistence

Detonation Conditions (Kill Switch Logic)

Before executing its payload, WannaCry attempts to contact the kill switch domain.

Behavior Logic

1. Malware sends HTTP request to the domain.
2. If the domain responds:

• Malware terminates.

  1. If no response:

• Malware continues execution.

Lab Consideration

To allow detonation during analysis:

• DNS simulation tools (like INetSim) must be disabled.
• Otherwise, the malware may terminate early.

---

Network-Based Indicators

Kill Switch Communication

The malware attempts to reach:

hxxp://www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

A successful connection stops execution.

---

Local Listener on Port 9050

Observed process:

taskhsvc.exe

Port 9050 is commonly associated with Tor, suggesting:

• Anonymous communication
• Possible payment verification via Tor network

SMB Propagation Behavior

WannaCry generates large numbers of SMB requests over port 445.

Observed actions:

• Accessing \\<IP>\IPC$
• Using named pipes
• Attempting null or brute-force authentication

This behavior aligns with exploitation of:

EternalBlue (MS17-010)

This allows the ransomware to spread across vulnerable machines.

Host-Based Indicators

Using Procmon, a suspicious process was identified:

tasksche.exe

Observed actions:

• Writing files to disk
• Modifying file attributes
• Creating scheduled tasks

This confirms its role in persistence.

File System Activity

The malware creates a hidden directory:

C:\ProgramData\<random_folder>\

This directory contains:

• Encrypted payloads
• Configuration files
• Executables

It acts as a staging area for the ransomware.

---

now this Image showing the new created directory

Persistence Mechanism

A new Windows service is created using the same name as the random folder.

Purpose:

• Execute malware on every reboot
• Maintain persistence even after process termination

Kill Switch Mechanism – Debugger Analysis

During debugging, the following execution flow was observed:

1. Kill switch URL loaded into ESI.
2. Value transferred to EAX.
3. Passed into InternetUrlA API.
4. Result stored in EDI.

The main function of Wannacry

Decision Logic

If EDI == 0

• Connection failed
• Malware continues execution

If EDI != 0

• Connection successful
• Malware terminates

---

Payload Execution

If kill switch fails:

fcn.00408090

is executed, initiating:

• File encryption
• Network propagation

---

Manipulating the Kill Switch in the Debugger

By manually modifying the value of the EDI register:

• Simulated a successful kill switch response.
• Malware exited immediately.
• Encryption and propagation were prevented.

This confirms the kill switch is hardcoded into the execution logic.

---

Tools Used

• Cutter (Radare2) – Static analysis
• x32dbg – Dynamic debugging
• Procmon – Process and file activity
• PEStudio – Import analysis
• FLOSS – String extraction

---

YARA Detection Rule

rule WannaCry_Simple_PMAT
{
    meta:
        description = "Detects WannaCry ransomware - based on PMAT by TCM"
        author = "MRxO1"
        reference = "PMAT - Practical Malware Analysis & Triage"
        date = "2025-04-25"
        malware_family = "WannaCry"

    strings:
        $s1 = "http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii
        $s2 = "tasksche.exe" ascii
        $s3 = "WNcry@2ol7" ascii
        $s4 = "Ooops, your files have been encrypted!" ascii nocase
        $s5 = "icacls . /grant Everyone:F /T /C /Q" ascii
        $s6 = "msg/m" ascii

    condition:
        uint16(0) == 0x5A4D and
        4 of ($s*)
}

---

References

• PMAT – Practical Malware Analysis & Triage
• Microsoft MS17-010 Security Bulletin