Vin Ransomware Blog02

WannaCry Ransomware Technical Analysis

This article is in continuation with the previous post, Some more deep investigation has been done which is reported in this article. 

Sample : 593bbcc8f34047da9960b8456094c0eaf69caaf16f1626b813484207df8bd8af

The sample has all the 3 bitcoin addresses hard-coded in the malware. The reason why all the three bitcoin wallet addresses are embedded is to ensure that incase one address cannot proceed the payment the other wallet addresses will be used.

image1
Image: Hardcoded Bitcoin Wallet address


The Bitcoin Wallet address found are as follows:

-    115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
-    12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
-    13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

The malware modifies permission so that  all the users on the infected machine,have elevated privileges. By doing so, the malware can execute other functions such as erasing the the Shadow Copies which we discussed earlier.

image1
Image: Command to elevate the permissions for Everyone


The encryption logic code is as follows:

image11

Image: Encryption call with corresponding file extension that are targeted.


The malware starts its encryption process and only after successfully completing the encryption procedure it deletes the Encryption Key. The “CryptAcquireco” call is called upon so that the malware will encrypt those files only whose extension is present in the malware.

Connection with TOR:
tor1a
Image: Tor folder being accessed

tor2

Image: “tor.exe” being dropped

 The ransomware needs to verify the payment from the victim and get the key for decryption of the files once the payment is verified. For these communications the ransomware makes use of TOR service. The tor.exe is accessed in the manner as given in the image in the format as:

image10

The path hence where the “tor.exe” is “/TaskData/Tor/tor.exe”.

 

Popular posts like this:

This article is in continuation with the previous post, Some more deep investigation has been done which is reported in this article.