Memory Analysis of WannaCry Ransomware

Introduction 
This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC) 


WannaCry 
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale. https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

Discalimer
  • You are dealing with real malware samples
  • Don’t expose them to internal networks or internet
  • Analyze them in a controlled environments (sandboxes)
  • We are not responsible for any consequences of damage if you fail to obey the rules
Binary Hash
sha256sum: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

MemoryDump
sha256sum: 76e8be1a3761878325fdff39a5ab1ff84922a0b18947e5268dd9175795ad2bf0
Sample: https://mega.nz/#!Au5xlCAS!KX5ZJKYzQgDHSa72lPFwqKL6CsZS7oQGbyyQrMTH9XY

Analysis 
Six-step investigative methodology by SANS (digital-forensics.sans.org/media/Poster-2015-Memory-Forensics.pdf)
  1. Identify rogue processes 
  2. Analyze process DLLs and handles  
  3. Review network artifacts 
  4. Look for evidence of code injection 
  5. Check for signs of rootkit
  6. Dump suspicious processes and drivers 
Since the binary is available, it would be always good to do a quick static analysis to identify any malicious indicators or abnormal characteristics. Below mentioned tools can be handy to do a quick static analysis
  1. strings 
  2. peinfo
  3. pestudio 
  4. virustotal
 Strip the strings of binary using strings tool
The only one URL with unknown strings in it was found and later discovered it as a killswitch. Wana Decryptor infects systems through a malicious program that first tries to connect to an unregistered web domain. The kill switch appears to work like this: If the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack. Later  security researcher from MalwareTech found and activated the kill switch by registering the web domain and posting a page on it

The above indicators says that wannacry can drop binaries on the fly to run different tasks on system and let's hope to see these process in the upcoming memory analysis.
we can see few more interesting strings related to Mutex creation on on infected system and also granting or modifying discretionary access controls on infected system. A strange password type of string 'WNcry@2ol7' could also be spotted
A further deep dive into strings shows various files with .wnry extension. A Dynamic analysis can only help understand these files.

Let's assume that now we have only memory dump in hand and no more evidence of Indicators of compromise available. Using Volatility we can uncover memory resident artifacts and reconstruct the timeline of activities done on infected system. Start with volatility imageinfo 
Run pslist command look at running processes at the time of acquiring memory. It's always good to have knowledge of native windows related processes so that the other processes can be easily identified
PID 1940 initiated PID 740 and both processes look completely strange and also tasksche was spotted in strings of wannacry binary. Running psscan plugin will also list all processes including terminated processes, which can help us identify process hierarchy and the timeline of creation
As we can see terminated processes taskdl.exe, taskse.exe along with parent process PID 1940

and if we sort process creation time using sort  It would be easy to understand timeline of process creation Below unknown processes can be considered as suspicious
looking at the order of process creation taskse.exe process was created before taskdl.exe process but still no idea of what these processes do. Below are the results of famous search engines about these processes
These samples were already analyzed by giant threat intelligence and AV vendors but, in reality lot of new indicators can be uncovered in short time when it comes to unknown threats
Run dlllist plugin to identify process DLLs and path where the process has executed from, this can give clear understanding of malicious processes if they are run by dropped binaries in uncommon folders.

Identify the path of the binary for process tasksche.exe  which clearly looks uncommon and suspicious. It's recommended to look at the DLLs loaded to understand the characteristics of the process like encryption,regstriy modification and socket creation etc.
Process @WanaDecryptor@ with PID 740 also uses the same path of process tasksche.exe. Based on DLLs loaded by @WanaDecryptor@ process, it can perform socket creation (Ws2_32.dll), high level network communications(WININET.DLL), querying registry(ADVAPI32.DLL), encryption (SECURE32.DLL) and interacting with browsers (URLMON.DLL)like internet explorer etc.
Looking at the handles of PID 1940, It has created a mutex (Mutexes have long been used by malware authors to prevent more than one instance of the malware running on the same machine. An old anti-malware trick consists in the creation of a specific mutex, to prevent the execution of a specific malware) named ''MsWinZonesCacheCounterMutexA''


A quick search for this mutex on google gives
Mutex "MsWinZonesCacheCounterMutexA" can be one of IOCs for identifying infected systems. Like mutex as one of types of handles for any process, volatility handles plugin can also identify File, Key, Event, threads and port type of handles for any process. A quick look at files accessed by PID 1940
It's recommended to look at Key handle type for any process which can give any insight about registry changes by that process. Below are Key type of handle for process  PID 740
No persistent mechanism was found yet, it can be identified by printkey plugin by accessing Run, Runonce, Winlogonkeys, BootExcuteKey, startup folders and services key
Network related artifacts can be identified  by connections plugin for active connections and connscan plugin for terminated connections
Sadly, no connections were found. Since memory dump can also hold some network connections, we can use data carving tool bulk_extractor to extract network connections from memory . volatility ethscan plugin can also extract pcap from memory dump
The extracted pcap was opened in wireshark to see any killswitch related domain name and other netowrk connections. Unfortunately there was no killswitch found in this pcap (extracted from memory) except few unknown remote IPs.
Using tshark, all IPs from pcap are extracted to text file and further can be used as Indicators of compromise
The killswitch was found in pcap that was captured while wannacry  infecting the system and download link is available below
Pcap: https://mega.nz/#!h6oCBbYS!TV46RntkpyZaPZYaSpir3iutOQLBZvm4xf4t84enuHM
sha256sum: 88088077d67bd10dbc1d4bd1c240ad1a7f6c0b251bc22bcc2c6b52eba9142d2b
As per wannacry's author killswitch mechanism, the system was infected further as domain was not resolved and unreachable. In this pcap, number of unknown hosts were found
 All IPs were copied to a text file using tshark and can be treated and used as automated indicators of compromise
  • tshark -T fields -e ip.src -r dump.pcap | sort -u 
Memory resident files can be searched using filescan plugin and can be dumped using dumpfiles plugin. While looking for specific folder of the tasksche.exe , interestingly all files related to ransomeware were found at one location in folder ivecuqmanpnirkt615
These files cab be dumped using respective physical address of the file using dumpfiles plugin by specifying -Q option.
Further analysis like static, dynamic or reverse engineering of these extracted binaries can give lot insights about ransomware mechanism. We can also dump a desired file for further analysis and hashes of these files can be used as indicators of compromise for further detection engines
Interesting strings were found in  @WanaDecryptor@.exe binary likes.wnry,f.wnry, c.wnry, messages related to payment, how to use bitcoins, APIs realted to encryption and deletion of volume shadow copies of victim.
 Below strings were found in @WanaDecryptor@ binary. The files with extension must be downloaded and checked to understand the characteristics of the binary.
It's always recommended to dump memory address space of processes to check for suspicious entries in process memory rather on solely focusing on binary itself.
The volatility plugin memdump was used to dump the address space of @WanaDecryptor@ and taskssche.exe processes to for any indicators
Looking at the stings of process tasksche.exe (PID 1940), it was found that tasksche.exe started @WanaDecryptor@ process with command line arguments
Further anlsysis of strings revealed about how ransomware run @WanaDecryptor@ process using script of operations, setting up registry key for itself in Run key for persistence mechanism and killing few servies like DB, MS Exchange etc .
Looking at the strings of @WanaDecryptor@ (PID 740) process dump, It was found that the malware use TOR hidden services for command and control. The list of .onion domains inside is as following
The onion domains are as follows
  • gx7ekbenv2riucmf.onion
  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
The bitcoin address is 
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
The link for bitcoin address was found as 
All dropped files were dumped using dumpfiles plugin and these file hashes can be used as indicators of compromise or ingested into search engines. YARA rules are also in handy to write your own rules to quickly prevent or identify ransomware infections 
Note: All these types of indicators can also be quickly identifed by dynamic malware analysis in a sandboxed enviornment but, the objective is to how to levarage memoryforensic techniques to unearth the IOCs. 
Timeline Analysis 
All memory resident artifacts have metadata assosciated with them,Volatility supports various plugins to create timeline analysis of memory resident artifacts. The plugins timeliner, mftparser and shellbags can help create timeline activity in a body file format which canbe further ingested to  mactime utility with proper timezone.
The above screenshot is just a glance of timeline activity and it's evident that how taskdl.exe and taskse.exe were involved in infection process

Highlighted IOCs so far
  • tasksche.exe
  • taskse.exe
  • @WanaDecryptor@
  • taskdl.exe
  • ivecuqmanpnirkt615 
  • icacls . /grant Everyone:F /T /C /Q
  • WNcry@2ol7
  • MsWinZonesCacheCounterMutexA
  • MsWinZonesCacheCounterMutexA0 
  • Global\\MsWinZonesCacheCounterMutexA
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw (bitcoin wallet) 
  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
Dropped files 
  • a157c3437fa6b0174fec1acc754b3a6a
  • 4fef5e34143e646dbf9907c4374276f5
  • c523cdfa774ddabfb3dc47f9ed945698
  • 81b21441a1c703d9840b377c2b0324d9
  • 736109d6b23d924c9a32d721d6bb4c7c
  • 6093efc815be21e4f4188af1267a8e33
  • 6a3a34a2ae65ca4b37047130ffe4d60c
  • d7e5d5c54e3974e9e406fbc23116ce3a
  • 2efd94af98dd9fa9e6193a003af403e1
  • b1ce4e545e7a2d3e0bcffcd0e0b95d34
  • 8495400f199ac77853c53b5a3f278f3e
  • 508b42d5483a704264fa2b1dc8592b8d
  • b7a339bdf4afee4fd8aefee46a22b4a1
  • ebb126f0cbc7c12487a3838a126b5e30
  • ecc538b01d7bae3dc562fa9bd0944c23
  • 4fef5e34143e646dbf9907c4374276f5
  • dbbe82485c0402c219997634de6d71e1
  • 7bf2b57f2a205768755c07f238fb32cc
  • 3aee8a479a419d8cad7bfae88265bc4a
  • 8495400f199ac77853c53b5a3f278f3e
  • a2e9772752850311a57560a47419a240
  • 6c7fa29e6df721eaaf2e9d409af59fcf
  • 84c82835a5d21bbcf75a61706d8ab549
IP Addresses 
  • 134.119.3.164
  • 199.254.238.52
  • 213.61.66.118
  • 101.190.120.20
  • 103.135.87.34
  • 105.228.80.118
  • 109.120.147.113
  • 112.40.73.231
  • 114.132.163.140
  • 115.120.39.62
  • 117.231.163.128
  • 11.79.216.11
  • 118.92.63.58
  • 119.160.53.6
  • 121.243.24.243
  • 12.129.160.42
  • 123.110.234.142
  • 130.29.42.75
  • 134.119.3.164
  • 134.5.37.219
  • 134.65.66.122
  • 135.156.126.225
  • 135.3.230.156
  • 144.254.232.99
  • 149.117.67.192
  • 151.181.122.70
  • 152.238.59.112
  • 153.80.51.4
  • 157.108.135.161
  • 160.247.148.100
  • 160.8.72.162
  • 162.143.222.92
  • 162.81.94.159
  • 16.40.254.133
  • 165.157.85.152
  • 169.29.159.20
  • 171.147.178.215
  • 173.72.110.26
  • 174.63.138.67
  • 179.99.16.26
  • 18.228.201.11
  • 183.247.221.96
  • 183.7.58.127
  • 184.31.24.7
  • 185.248.216.1
  • 18.79.199.205
  • 19.138.13.9
  • 192.3.24.55
  • 199.254.238.52
  • 202.40.165.77
  • 205.85.82.96
  • 206.74.108.93
  • 207.103.96.26
  • 209.62.155.245
  • 213.61.66.118
  • 214.246.133.99
  • 2.1.73.221
  • 218.104.184.247
  • 221.56.68.76
  • 22.217.48.117
  • 223.109.158.202
  • 31.20.234.160
  • 31.7.66.212
  • 32.148.163.190
  • 46.167.196.104
  • 46.216.113.45
  • 46.235.25.138
  • 5.142.148.18
  • 52.245.218.43
  • 54.130.143.214
  • 54.130.49.104
  • 61.173.44.137
  • 65.8.152.213
  • 69.202.254.47
  • 7.114.11.198
  • 7.184.139.167
  • 73.18.6.102
  • 74.161.161.67
  • 76.114.18.217
  • 77.112.46.246
  • 78.179.218.189
  • 79.118.202.221
  • 82.173.188.249
  • 82.212.160.235
  • 85.9.72.43
  • 86.77.117.202
  • 88.236.147.189
  • 92.181.3.156
  • 94.242.5.58
  • 95.130.11.147
Discalimer: These IPs may subject to change in future 
This is just an explanatory post to levarage volailtiy to gather actionable intelligence in quicker manner


Comments

  1. Good work Donny.I just want to ask, how do you get the memory dump that includes all files dropped by the binary?. Since if I run the tools to dump memory it will dump it in an instant as a whole and will not let me specify when to stop dumping. The binary drop files and the deletes it so I need to get those deleted files somethow.

    ReplyDelete
  2. I just executed the binary in VirtualBox XP and I dump the memory by using vboxmanage. What tools did you use to dump memory ?

    ReplyDelete
    Replies
    1. FTKImager, WinPmem can be used to take dump.

      Thanks.

      Delete
    2. please share the password for dump file at vashista35@gmail.com

      Delete
    3. pls can send me password for extracting wannacry.7z
      Email: ngocphucit2810@gmail.com

      Delete
    4. infected
      It's standard for many ! :)

      Delete
  3. What is password for extracting wannacry.7z???

    ReplyDelete
  4. Thanks for the post!
    May I have the password for the dump file please? My email is yr0mem@null.net

    ReplyDelete
    Replies
    1. Hi Please check your inbox

      Delete
    2. Pls send password here as well, m91@aol.in

      Delete
  5. ThankS for your post. My email is nvd6996@gmail.com , can u share the password please :D

    ReplyDelete
  6. Great analysis. Please share the password - jedi1977@protonmail.com

    ReplyDelete
  7. Excellent! Thank you for the post. I'd love to have the password as well - runnergirl400@msn.com

    ReplyDelete
  8. Nice work Mate. Can you pls share the password ? My email id is kentz.clarkz@gmail.com Thanks.

    ReplyDelete
  9. Exellent! Can u send me the file dump password?
    email : jlcnate@codernate.org

    ReplyDelete
  10. Similar deal, I would like to get the password to the zip so I can recreate the work and learn a bit.
    email: msmith20@albany.edu

    Thanks,
    Mike

    ReplyDelete
  11. kindly share the memory dump password on :myselfvisa@gmail.com

    ReplyDelete
  12. pease can I get the password for te memory dump please? socket.contact@gmail.com

    ReplyDelete
  13. Hi Donny, can you send me the file dump password? My email is forfotam@yahoo.ro
    Thanks.

    ReplyDelete
  14. hello donny i want the memory dump password file, send to my email domirez666@gmail.com #thanks

    ReplyDelete
  15. hi can you please give me password of dump to vamsikrishna951@gmail.com

    ReplyDelete
  16. Hi.
    Congratulations for the excelent tutorial.

    Can you please send to me the password of the dump?

    My email is: lf.vieira.slb@gmail.com

    Thank you.

    ReplyDelete
  17. Hello, could you send the password to me at coolhandluke727@comcast.net? Thanks!

    ReplyDelete
  18. Please share the password for extracting the wannacry.7z file.
    prajapati.jay.67@gmail.com

    ReplyDelete
  19. Kindly can you send the password mj1_mz1@yahoo.com Thanks

    ReplyDelete
    Replies
    1. infected
      It's standard for many !

      Delete
    2. Please let me know the password! and how do I run it? Can you plzz guide..

      Delete
  20. Thank you for your blog. Really helped us in our project.

    ReplyDelete
  21. Hi, Great write up. I have a question on one of the pieces that you've mentioned, this is regarding the use of Bulkextractor to extract network connections from mem dump in .pcap format. I tried using it but I don't get the net scanner output in .pcap format, instead a folder named pcap is created (i use windows) and text files along with xml data is found. Even that xml data does not appear to be in a format that wireshark would throw some light. I looked through the contents using excel, is it possible to help, I am doing a vol analysis of a mem dump and want to carve network connections that aren't shown by netscan. The ethscan doesn't seem to work either.

    ReplyDelete
  22. It's not guaranteed that you have to get network connections unless the system established. check the cmdline options once again and run

    ReplyDelete
  23. Hi , great analysis ! Can you please email the password to priyjan.5@gmail.com . Thanks!

    ReplyDelete
  24. infected
    It's standard for many !

    ReplyDelete
  25. my email is muqaddas.noreen@gmail.com

    ReplyDelete
  26. Thank you for sharing complete information about wannacry ransomware. I appreciate your efforts! Explaining every detail with pictures is the best part of your blog.

    ReplyDelete

Post a Comment

Popular posts from this blog

Memory dump analysis of Donny's System

Malicious document analysis Part - 1