WannaCry 101
WannaCry is ransomware that targeted computers running the Windows operating system. It would encrypt the the files and a payment would be required to get the private key to decrypt the files before a given time frame is up. Failure to do so would result in the deletion of the encrypted files.
The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) for older Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a few months prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life.
Warning: Do not perform the analysis on any important machine! You may lose all your files.
Reversing WannaCry Using Ghidra
Loading WannaCry into Ghidra resulted in many unnamed functions. Thus referencing the Windows documentation is a must.
First off is the WinMain function:
int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow);
Place this signature with the function FUN_00408140.
Understanding ransomewares:
THE ANATOMY OF A RANSOMWARE ATTACK
A Technical Analysis of WannaCry Ransomware
Some research and tools that helped us reverse engineering the code:
Default entry code for Windows Executable:
https://docs.microsoft.com/en-us/windows/win32/learnwin32/winmain--the-application-entry-point
Function signatures that Ghidra does not recognize
InternetOpenA
https://docs.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopena
InternetOpenAUrl
https://docs.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopenurla
Note: Ghidra will not let you create this function signature if you do not create a custom HINTERNET void pointer type
Famous "killswitch" domain behind the Wannacry's strange url entry
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/
Using "wrestool" function in order to extract resources from exec files
https://linux.die.net/man/1/wrestool
Download: https://www.nongnu.org/icoutils/