WannaCry Startup Sequence

WannaCry is malware with a worm+ransomware characteristics as such it is a  blended threat. Initial news of attacks were provided by Telefonica in Spain, the malware was able to spread to networks in the National Health Service (NHS) and has infected at least 16 Hospitals, followed by many other incidents across the world. The ransomware uses the ETERNALBLUE exploit to spread to other vulnerable machines. This post details the initial stages in the ransomware’s execution leading upto the start of its encryption phase. Below are the file details of the sample used in this analysis.

File Name : C:\Users\IEUser\Downloads\WannaCry.exe
Internal Name: lhdfrgui.exe
FileDescription : Microsoft® Disk Defragmenter
File Type : Portable Executable 32
File Size: 3.55MB (3723264 bytes)
MD5: DB349B97C37D22F5EA1D1841E3C89EB4
SHA-1 E889544AFF85FFAF8B0D0DA705105DEE7C97FE26

The file is a PE32 executable built in C++. Upon execution the malware checks for reach-ability to “http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com” if it fails the execution continues and if it succeeds it will terminate the process.

Checking for Domain

If v5 is NULL then it proceeds to call subroutine ‘sub_408090’. There are confirmed reports by researchers that they are other variants in wild which check for the other domains.

iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test
iuqssfsodp91fjaposdfjhgosurijfaewrwergwea[.]com
ayy1maotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com

The .test is a reserved by the Internet Engineering Task Force and not be used a top level domain. These checks for domains could be an evasion method used to detect sandboxes or lab setups where common internet services are simulated. Most of theses domains apart from .test have been sinkholed to prevent further spread of infection.

Going back to our analysis the subroutine “sub_408090”, finds the path to itself and checks if it has any command line arguments.

command line args checking

If there are no command line arguments. It tries to open a connection to the active services database on the machine with SC_MANAGER_ALL_ACCESS. With the connection handle to the database it attempts to start a service named “Microsoft Security Center (2.0) Service” with the executable path pointing to “C:\Users\IEUser\Documents\WannaCry.exe -m security”.

Create service mssecvc2.0

This creates a service object which when started will have

This action adds the corresponding registry when the service starts. Notice the command line argument “-m security”.

Service Started
Registry Entry

If the ransomware detects that they are >=2 command line arguments the executable tries to start this service directly.The ransomware will continue execution Irrespective of the success of this service start sequence. Moving on it obtains a handle to kernel32.dll and resolves the process address for CreateProcessA, CreateFileA,WriteFile,CloseHandle, a tell-tale signs of file operation and may be try to spawn a new process.

First it tries to find a resource block from within its PE header.

Finding Resource block “R”

From the stack trace above we can see that it is trying find a resource block named 727h(1831 base 10) within resource type/block “R”. We can verify this manually.

Resource block “R” ID 1831

Things are becoming very interesting now. It appears that the an executable is embedded within the resource section of the main executable. The embedded file has a DOS executable header followed by a PE header. The subroutine obtains a lock on the resource block and writes it to “C:\WINDOWS\tasksche.exe”.

Writing to “tasksche.exe”

In image above we can see the call stack leading up to the WriteFile function call. The value 0x258 is the handle for the “tasksche.exe”.

tasksche.exe handle

And the contents to be written are stored at 0x007100a4. The total size of the executable is 3514368 bytes.

File content

Now that the executable is created, it will create a process for “tasksche.exe” which will encrypt the target machine.

CreateProcessA call

Upon execution “tasksche.exe” will further spawn addition processes for encrypting files on the  target machine.

Initial tasksche.exe process

Notice the “/i” command line argument for “tasksche.exe”, We will continue our analysis to find out what it does.

Summary:
The main ransomware executable is a dropper which configures the system for the encrypting executable “taskche.exe”. The executable in question is embedded within the  resource section, the file, and is used to create “taskche.exe”. The malware achieves persistence by starting a system level service which start automatically. Please continue follow us on ThreatProtect for more coverage on WannaCry.

Leave a Reply

Your email address will not be published. Required fields are marked *