Ghidra: Analyzing Wannacry VIP Poster Topic Spring 2020

WannaCry 101

WannaCry is ransomware that targeted computers running the Windows operating system. It would encrypt the the files and a payment would be required to get the private key to decrypt the files before a given time frame is up. Failure to do so would result in the deletion of the encrypted files.

The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated through EternalBlue, an exploit developed by the United States National Security Agency (NSA) for older Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a few months prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life.

Warning: Do not perform the analysis on any important machine! You may lose all your files.

Reversing WannaCry Using Ghidra

Loading WannaCry into Ghidra resulted in many unnamed functions. Thus referencing the Windows documentation is a must.

First off is the WinMain function:

int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, PWSTR pCmdLine, int nCmdShow);

Place this signature with the function FUN_00408140.

Understanding ransomewares:

• THE ANATOMY OF A RANSOMWARE ATTACK

  • https://www.exabeam.com/wp-content/uploads/2017/07/Exabeam_Ransomware_Threat_Report_Final.pdf

• A Technical Analysis of WannaCry Ransomware

  • https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/

Some research and tools that helped us reverse engineering the code:

• • Default entry code for Windows Executable:

  • https://docs.microsoft.com/en-us/windows/win32/learnwin32/winmain--the-application-entry-point

  • Function signatures that Ghidra does not recognize

    • InternetOpenA

    • https://docs.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopena

    • InternetOpenAUrl

    • https://docs.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopenurla

      • Note: Ghidra will not let you create this function signature if you do not create a custom HINTERNET void pointer type

  • Famous "killswitch" domain behind the Wannacry's strange url entry

  • https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

  • https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/

  • Using "wrestool" function in order to extract resources from exec files

  • https://linux.die.net/man/1/wrestool

    • Download: https://www.nongnu.org/icoutils/