Welcome back, my aspiring cyber warriors!
Reverse engineering is one of the most highly sought and most valuable cybersecurity/infosec skills. Few people have developed their skill levels to be proficient in this highly sought after skill. Ghidra is a relatively new and free reverse engineering tool from the US spy agency, NSA.
In this tutorial, we will examine one of the most notorious pieces of
malware in the history of
ransomware, WannaCry. It infected over 300,000 computers
worldwide and could have created havoc but for the work and skills of one individual, Marcus Hutchens aka MalwareTech. Marcus Hutchens got a copy of this malware and immediately began to examine its code. In it, he found what has often been referred to as the "killswitch". In reality, what he found was URL that was to be used for command and control (C&C) of this ransomware. When he realized that the URL had not yet been registered, he did so. By doing that, he denied the ransomware authors access to control of their malware thereby saving the Internet!
Here, we will be looking at the initial infection vector of the malware looking for the URL and trying to understand how it initiates its malicious activity.
Before starting this tutorial, I recommend you read;
In addition, you would be well served to read;
Step #1: Prepare Your Environment and Install Ghidra
For this tutorial, I recommend you use a VM with Kali or other operating system. This is to make certain that you don't accidentally release WannaCcy into your other systems or network (this is generally a good practice when working with malware). Next, download WannaCry. There are numerous places you can acquire it from such as VirusTotal.
Make certain you are in the Ghidra directory and start Ghidra.
kali > sudo ./ghidraRun
When Ghidra starts, Open a project by clicking on File > New Project.
Then drag and drop the WannaCry ransomware file to the dragon or go to File -> Import File.
Once the file is imported you will see a screen like below with all details of the file.
Next, you will be greeted with a screen detailing options for analysis. Leave all the defaults checked and add Decompiler Parameter ID (this creates parameters and local variables for a Function. It can add considerable time to this analysis for large files but for WannaCry this should not cause any issues).
As Ghidra analyzes WannaCry, you will likely receive the following error message. Don't worry, simply click OK.
Now you should have the following user interface of Ghidra with the data from WannaCry.
Step #2: Find the Main() Function
The next step is to look for the function that starts WannaCry this malware. As noted when we loaded the malware into Ghidra, WannaCry is a Portable Executable (PE). Every Windows program has an entry point and this is usually named WinMain or wWinMain. See the documentation from Microsoft below.
When we go to the Symbol Tree and expand the Functions folder, we do not see a WinMain or wWinMain function but we do see an entry function. This may serve the same purpose as WinMain(). Lets examine it.
Double click on it and it will appear in both the Listing window and the Decompile window.
Step #3: Finding the "killswitch"
Now, scan down the Decompile window, there we can see that this function calls another function FUN_00408140. Double click on it to analyze it.
Almost immediately, you should see what appears to be a URL in the Listing window and in the Decompile window.
It appears to be placing the URL into a variable named puVar3.
Scanning a bit further down the decompiler, we can see a reference to InternetOpenUrlA function.
We can search through Microsoft Technet and see that InternetOpenUrlA function does just as you might expect, it calls and opens the URL specified.
Just below the InternetOpenUrlA, we see a few lines using the InternetCloseHandle. These specify that if iVar2 is 0 , then close the handle and run FUN_00408090, else close the handle and terminate the program.
This is what Marcus Hutchins noticed when he first examined and analyzed WannaCry. This is the URL of the command and control (C&C) URL. If the program tries to reach the URL and it returns a 0, the program automatically terminates. If it does not terminate, it executes FUN_00408140. Let's follow FUN_00408140.
Step #4: Go with the Flow
In the next step, let's follow the flow from FUN_00408140. Go to the Window tab at the top of Ghidra and click Function Graph.
As you can see above, Ghidra provides us a easy to read graph of the flow from this Function, both upstream and downstream. You can see that the entry function is upstream from FUN 00408140 and downstream from it is InternetOpenA, InternetOpenUrlA, InternetCloseHandle and FUN_00408090
Go back to the Decompile Window and let's double click on FUN_00408090 to try to determine what it does.
The Decompile window should look like the following.
Note that the decompiler shows that the malware attempts OpenServiceA. This includes an argument to open mssecsv2.0_004312fc. This appears to open a Microsoft Security Service. Now that's interesting...
When we search Microsoft's Technet, we find that NO such service exists. The malware is starting a new service that appears to be a legitimate Microsoft Security Service to obscure its true nature.
Summary
Wannacry ransomware had the potential to push a crushing blow to the Internet in 2017. It used the recently released EternalBlue exploit to gain entry to computer systems and then encrypt all their data until they paid a ransom. Apparently, developed by North Korea in a haste to release it before Windows systems were patched, they failed to obscure or obfuscate the malware and most importantly, failed to register the command and control domain. Thanks to Marcus Hutchins, its impact was mitigated by his detection of the "kill switch" and disarming this potentially debilitating ransomware.
Now that you have the skills to do the same, maybe you will be next person to save the Internet?