WannaCry Encryption Flow


Encryption Flow
Generating RSA Key pair
Sample generates RSA public and private key pair and export them to disk.



Public RSA key is written in file 00000000.pky and private RSA key is encrypted with another public RSA key embedded in malware binary and written to file 00000000.eky.

Embedded Public RSA key in sample used to encrypt generated private RSA key.











File Enumeration
Enumerate Files in a Directory using Windows API’s FindFirstFile and FindNextFile.
Before encrypting file in a directory, malware checks for list of directories and files to be excluded.

Directories to Exclude




























File Extensions to Exclude


















Exclude Files Dropped by Malware















File Types to Encrypt
File types to be encrypted is present as hard coded list in malware binary.





































Str2 is extension from hard coded list in malware binary.
Str1 is extension of the file to be checked against hard coded list.







































 Key Generation
Random key at Run Time

If extension of the file is found in hard coded list then malware generates a Random key of size 0x10 (16) bytes using cryptography provider type 0x18(24) PROV_RSA_AES.
















Random Key highlighted in red.









Encrypting Random Key
After performing operation on generated Random key which will be later used to encrypt content of file, malware encrypts the Random key with one public RSA key it has generated and written to file 00000000.pky.









After encryption the size of encrypted random key is 0x100(256) bytes.
















Encrypting File

 Create New File
Malware creates a new file with name “original_file.old_extension.WNCRYT”.
Malware writes below information to the file created above.
  1. WANACRY! - Malware Magic Byte – 8 bytes
  2. ENCRYPTED RANDOM KEY LENGTH - 0x100(256) bytes.
  3. KEY BYTES - Encrypted Random key bytes of size in point 2.
  4. UNKNOW  - dword value 0x44 bytes 
  5. ORIGINAL FILE SIZE -  8 bytes
  6. DATA – Encrypted bytes of size in point  5


































Encrypting Original file data and writing encrypted data to file “original_file.old_extension.WNCRYT















Destination Buffer containing encrypted file content.










Encrypted file “original_file.old_extension.WNCRYT” content after encryption is completed.






































Set time of encrypted file to time of original file.
Moving encrypted file “original_file.old_extension.WNCRYT” to  “original_file.old_extension.WNCRY








Comments

  1. Aman Malhotra30 January 2018 at 22:29

    This is great observation. Similarly,if you want to encrypt your messages or want to prevent your conversation from the unauthorized access you may use an EnKryptonite app.
    You may download this app from:
    https://goo.gl/3BvS1f and PlayStore https://goo.gl/EjBups

    ReplyDelete
  2. siqing chen12 February 2020 at 04:03

    I was searching for loan to sort out my bills& debts, then i saw comments about Blank ATM Credit Card that can be hacked to withdraw money from any ATM machines around you . I doubted thus but decided to give it a try by contacting {skylinktechnes@yahoo.com} they responded with their guidelines on how the card works. I was assured that the card can withdraw $5,000 instant per day & was credited with $50,000 so i requested for one & paid the delivery fee to obtain the card, i was shock to see the UPS agent in my resident with a parcel{card} i signed and went back inside and confirmed the card work's after the agent left. This is no doubts because i have the card & has made used of the card. This hackers are USA based hackers set out to help people with financial freedom!! Contact these email if you wants to get rich with this Via email skylinktechnes@yahoo.com or whatsapp: +1(213)785-1553

    ReplyDelete
  3. Jacob2 March 2023 at 12:36

    Very Fresh, Legit & Genuine Stuff available now
    Freshly spammed from HIGH INCOME Databases
    USA, UK, Canada States available
    All info included SSN/SIN DOB DL
    Fullz will be high credit scores 680 to 700+
    Stuff will be fresh, never sold before

    +92 3.1.7 2.7.2 1.1.2.2 WhatsApp/Tele-gram
    7.5.2.8.2.2.0.4.0 I.C.Q
    @peeterhacks Skype&WickrMe
    exploit dot tools4u at gmail dot com

    CC FULLZ with CVV's
    DUMPS with Pins
    Combos
    Logs
    Office365 Emails & Logs
    Spamming Tools & Tutorials (SMTP's, RDP's, C-panels, Brutes, Scripting, etc)
    Ha-cking stuff with complete tools, Guides, Ebooks & guidance
    Carding fresh Methods, Loan Methods, Carding Cash-out Methods
    Carding Tutorials, Transfers, top-up's
    Kali Linux with Termex & Python
    Keyloggers, Shells, RAT's
    I.p's, Proxies, Server I.p's

    Many other stuff we can provide on demand
    Here we're

    @killhacks ICQ&Tele.gram
    +92 317272 1122 WhatsApp

    ReplyDelete

Post a Comment

Popular posts from this blog

VIrtual Machine Detection Techniques

This post will cover techniques that can be used to detect virtualized environment. Sample Analyzed - hxxps://virustotal.com/en/file/46686679e58fe4767e6796ddb27f31f3a46e4310abb6cf51b031a0181ba08ddf/analysis/ 1.VMWare Backdoor This techniques uses special I/O port to send command and get output. VMware Command Execution code In above image VMWare I/O port is 'VX' (5658h) . Command number 0x0A (get vmware version). VMware version is return in register EAX as shown below. More About VM Backdoor Port  https://sites.google.com/site/chitchatvmback/backdoor 2.VPCEXT VPCEXT instruction is used to detect presence of Virtual PC. If opcode 0F 3F b1 b2 is run outside Virtual PC, illegal instruction exception is thrown otherwise return value in ebx register is checked.If value in ebx register is 0 which means Virtual PC detected. 3.DMIDECODE Utility dmidecode is a tool for dumping a computer's DMI (some say SMBIOS ) table contents in a...
Read more

Analyzing ATM Malwares

This post will explain how to analyze ATM malwares developed using middle ware CEN/XFS (extension for financial services). ATM (Automated Teller machine). The three leading ATM vendors are - 1.NCR 2.Diebold 3.Wincor The main services (peripherals) of an ATM are - 1.Card Reader 2.PinPad 3.Cash Dispenser Applications developed to interact with ATM services (peripherals) uses CEN/XFS (extension for financial services). XFS provides the API to access and manipulate the ATM peripherals from different vendors as shown in below image. CEN/XFS Application Programming interface and SDK can be downloaded from below website under Published CWA's. https://www.cen.eu/work/areas/ICT/eBusiness/Pages/WS-XFS.aspx Apart from CEN/XFS Application Programming interface and SDK other important guides as mentioned below and can be download from above mentioned website. 1.Service Class Definition - Programmer's Reference 2.Identification Card Device Class Interface - Programmer...
Read more

Debugging MBR : IDA Pro and Bochs Emulator

This post will explain how to setup Bochs Emulator to debug MBR. I will be taking NotPetya\Petya ransomware MBR as an example. Take dump of Physical Drive whose MBR is overwritten by NotPetya\Petya ransomware by its malicious MBR. dd utility for windows can be used for this purpose.Command to dump the disk is as shown below. dd.exe if=\\?\Device\Harddisk0\DR0 of=<output file path> bs=512k --size --progress if = input file of = output file bs = read and write bytes at a time Configuring Bochs Emulator. Go to installation directory of Bochs Emulator and open file bochsrc and provide below information. 1.Disk Geometry 2.Boot Drive Disk Geometry setting contain Cylinder,Head and Sector (CHS) value of disk. # ATA controller for hard disks and cdroms ata0-master: type=disk, path="winxp0.img", mode=flat, cylinders=124830, heads=16, spt=63 where path is dump of disk taken using dd utility. Boot Drive setting contain bootable drive type. # BOOT: # This de...
Read more

Samsung CTF : Chicken or Egg Reversing Challenge

 The CTF is over but i really enjoyed solving the challenge (https://sctf.codeground.org/ctf/prob).The challenge is to decrypt flag.enc. This is another APK + JNI (Java Native Interface) kind of challenge similar to the one in Google CTF 2017 (http://shasaurabh.blogspot.com/2017/07/google-ctf-2017-android-re-challenge.html). Challenge can be divided into three parts. 1.Android application (application) loading Native Library 2.Native Library decrypts DEX file in memory. 3.Using Reflection to call methods of decrypted DEX file in step 2. 1. Android application loading Native Library OnClick() method of MainActivity class calls constructor of Crypt class. Calling constructor of Crypt class results in loading of Native library ( libegg.so ) which is ELF for ARM. Constructor of Crypt class calls crackEgg method implemented in native library. 2.Native Library decrypts DEX file in memory. The native library reads the encrypted DEX file stor...
Read more

Memory Forensics : Tracking Process Injection

This post describe about process memory internals which allow us to track process injections. Example used below is recent Brazil Malspam (hxxp://malware-traffic-analysis.net/2017/07/07/index.html) which inject DLL  fltLib.dll into process notepad.exe. Attach kernel debugger to infected machine and get information about notepad.exe  Process   object. Process object is represented by EPROCESS structure. VAD (Virtual Address Descriptors) is member of EPROCESS  structure and describes the layout of process memory segments. VADs contain the names of memory-mapped files, the total number of pages in the region, the initial protection (read, write, execute), and several other flags that can tell you a lot about what type of data the regions contain. VAD is a self balancing tree and each node in tree represent one range in process virtual memory.Each node has child in the form of left and right node.A node is represented using MMADDRESS_NODE struct...
Read more

FireEye FLARE CTF 2017 : PEWPEWBOAT Challenge 5

The challenge is about selecting correct coordinates on to the map and advancing to the next stage to get flag. As we advance to next stage, the game print some metadata. After debugging the binary, the logic to calculate co-ordinate can be rewritten. Below is the python implementation of calculating co-ordinate and decrypting metadata for each stage. import binascii key = 0x3B1EE5F6B3D99FF7                #initial key to decrypt metadata. offset = 0x50E0                         #offset of metadata in binary f = open('pewpewboat.exe','rb') for i in range(0,11):     stage = i     v = ((i << 3) + i) << 6     f.seek(offset + v)     mask = '0x'     temp = '0x'     res = []     metadata = []     for i in range(0,0x240):         key = ((key * 0x41c64e6d) +...
Read more

FireEye FLARE CTF 2017 : APK Challenge 8

The challenge required decrypting passwords in order to form AES key to decrypt the flag bytes. On decompiling flair.apk file we can see four classes for which we need to decrypt passwords. 1.Michael Class  It was pretty simple password comparison.The password is  MYPRSHE__FTW . 2. Brian Class Password is formed as shown below. String.format("%s_%s%x_%s!", new Object[]{t, y, Integer.valueOf(p), c}); t = (ImageView) findViewById(R.id.pfdu).getTag().toString() y = getApplicationContext().getPackageManager().getApplicationInfo(getApplicationContext().getPackageName(), 128).metaData.getString("vdf") p = (TextView) findViewById(R.id.vcxv).getCurrentTextColor() & SupportMenu.USER_MASK; c = (TextView) findViewById(R.id.vcxv).getText().toString().split(" ")[4]; The Password is  hashtag_covfefe_Fajitas! . 3.Milton Class The password is formed by decrypting a string and taking SHA1 of the decrypted string. Decryption algorithm...
Read more

Windows Registry Forensics

This blog post will cover how registry keys are stored in memory. There are many good tools available to extract windows registry information from memory or dump but it's always good to learn how the information is stored in memory and how these tools are extracting it. Windows Registry (Configuration Manager) in memory is represented using CMHIVE  structure.You can view CMHIVE structure here  https://www.nirsoft.net/kernel_struct/vista/CMHIVE.html . More about Registry structure can be found here  https://binaryforay.blogspot.in/2015/01/registry-hive-basics.html . We can locate CMHIVE structure in memory by scanning pool tag value  CM10 . The pool tag is part of POOL_HEADER ( https://www.nirsoft.net/kernel_struct/vista/POOL_HEADER.html ).The size of POOL_HEADER structure is 8 bytes in 32-bit OS and lies above CMHIVE structure in memory.Below is the result of command ! poolfind <tag> <pooltype>  in windbg where tag is CM10 and pooltype =1...
Read more

DoublePulsar Backdoor

This post explains DoublePulsar Backdoor and how WannaCry Ransomware uses it to spread Itself. EternalBlue Installing DoublePulasr Backdoor EternalBlue exploits vulnerability in SMB protocol and execute shell code.Offset of shell code in EternalBlue binary that is present in shadow broker dump. Shellcode finds address of srv.sys (SMB Driver) and replace address of srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with its own function address as shown below. Offset of function code in EternalBlue binary which replaces srv!SrvTransactionNotImplemented function address in srv!SrvTransaction2DispatchTable . Before overwriting srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with  its own function address shell code allocates memory using ExAllocatePool API and write function bytes. Function code is stored at 0x48 offset from memory addres...
Read more

Google CTF 2017 : Android RE Challenge

The challenge was consist of three parts. 1.Android application loading native library (ARM or x86) depending on platform. 2.Native library drops a dex file and dynamically loads it. 3.Native library modify bytes (in memory) of loaded dex file in step2. 1.Android application loading native library Decompiling food.apk file using JADX (Dex to Java decompiler) and looking at AndroidManifiest.xml we see activity is implemented in FoodActivity class. Looking at FoodActivity class it only loads the native library cook .The argument to System.loadLibrary is a library name chosen arbitrarily by the programmer. The system follows a standard, but platform-specific, approach to convert the library name to a native library name. For example, a Solaris system converts the name cook to libcook.so , while a Win32 system converts the same cook name to cook.dll . 2.Attaching to libcook.so . We will be using IDA Pro.Refer to http://www.hexblog.com/?p=809 for how to attach to nati...
Read more