top of page
Search
  • Writer's pictureotw

Reverse Engineering Malware, Ghidra Part 3: Analyzing the WannaCry Ransomware

Updated: Nov 29, 2021

Welcome back, my aspiring cyber warriors!


Reverse engineering is one of the most highly sought and most valuable cybersecurity/infosec skills. Few people have developed their skill levels to be proficient in this highly sought after skill. Ghidra is a relatively new and free reverse engineering tool from the US spy agency, NSA.


In this tutorial, we will examine one of the most notorious pieces of

malware in the history of

ransomware, WannaCry. It infected over 300,000 computers

worldwide and could have created havoc but for the work and skills of one individual, Marcus Hutchens aka MalwareTech. Marcus Hutchens got a copy of this malware and immediately began to examine its code. In it, he found what has often been referred to as the "killswitch". In reality, what he found was URL that was to be used for command and control (C&C) of this ransomware. When he realized that the URL had not yet been registered, he did so. By doing that, he denied the ransomware authors access to control of their malware thereby saving the Internet!


Here, we will be looking at the initial infection vector of the malware looking for the URL and trying to understand how it initiates its malicious activity.


Before starting this tutorial, I recommend you read;




In addition, you would be well served to read;




Step #1: Prepare Your Environment and Install Ghidra


For this tutorial, I recommend you use a VM with Kali or other operating system. This is to make certain that you don't accidentally release WannaCcy into your other systems or network (this is generally a good practice when working with malware). Next, download WannaCry. There are numerous places you can acquire it from such as VirusTotal.


Make certain you are in the Ghidra directory and start Ghidra.


kali > sudo ./ghidraRun


When Ghidra starts, Open a project by clicking on File > New Project.


Then drag and drop the WannaCry ransomware file to the dragon or go to File -> Import File.


Once the file is imported you will see a screen like below with all details of the file.


Next, you will be greeted with a screen detailing options for analysis. Leave all the defaults checked and add Decompiler Parameter ID (this creates parameters and local variables for a Function. It can add considerable time to this analysis for large files but for WannaCry this should not cause any issues).

As Ghidra analyzes WannaCry, you will likely receive the following error message. Don't worry, simply click OK.


Now you should have the following user interface of Ghidra with the data from WannaCry.


Step #2: Find the Main() Function


The next step is to look for the function that starts WannaCry this malware. As noted when we loaded the malware into Ghidra, WannaCry is a Portable Executable (PE). Every Windows program has an entry point and this is usually named WinMain or wWinMain. See the documentation from Microsoft below.


When we go to the Symbol Tree and expand the Functions folder, we do not see a WinMain or wWinMain function but we do see an entry function. This may serve the same purpose as WinMain(). Lets examine it.


Double click on it and it will appear in both the Listing window and the Decompile window.


Step #3: Finding the "killswitch"


Now, scan down the Decompile window, there we can see that this function calls another function FUN_00408140. Double click on it to analyze it.

Almost immediately, you should see what appears to be a URL in the Listing window and in the Decompile window.


It appears to be placing the URL into a variable named puVar3.


Scanning a bit further down the decompiler, we can see a reference to InternetOpenUrlA function.




We can search through Microsoft Technet and see that InternetOpenUrlA function does just as you might expect, it calls and opens the URL specified.




Just below the InternetOpenUrlA, we see a few lines using the InternetCloseHandle. These specify that if iVar2 is 0 , then close the handle and run FUN_00408090, else close the handle and terminate the program.


This is what Marcus Hutchins noticed when he first examined and analyzed WannaCry. This is the URL of the command and control (C&C) URL. If the program tries to reach the URL and it returns a 0, the program automatically terminates. If it does not terminate, it executes FUN_00408140. Let's follow FUN_00408140.


Step #4: Go with the Flow


In the next step, let's follow the flow from FUN_00408140. Go to the Window tab at the top of Ghidra and click Function Graph.

As you can see above, Ghidra provides us a easy to read graph of the flow from this Function, both upstream and downstream. You can see that the entry function is upstream from FUN 00408140 and downstream from it is InternetOpenA, InternetOpenUrlA, InternetCloseHandle and FUN_00408090


Go back to the Decompile Window and let's double click on FUN_00408090 to try to determine what it does.




The Decompile window should look like the following.



Note that the decompiler shows that the malware attempts OpenServiceA. This includes an argument to open mssecsv2.0_004312fc. This appears to open a Microsoft Security Service. Now that's interesting...


When we search Microsoft's Technet, we find that NO such service exists. The malware is starting a new service that appears to be a legitimate Microsoft Security Service to obscure its true nature.


Summary


Wannacry ransomware had the potential to push a crushing blow to the Internet in 2017. It used the recently released EternalBlue exploit to gain entry to computer systems and then encrypt all their data until they paid a ransom. Apparently, developed by North Korea in a haste to release it before Windows systems were patched, they failed to obscure or obfuscate the malware and most importantly, failed to register the command and control domain. Thanks to Marcus Hutchins, its impact was mitigated by his detection of the "kill switch" and disarming this potentially debilitating ransomware.


Now that you have the skills to do the same, maybe you will be next person to save the Internet?

Recent Posts

See All

2 Comments


astriddavina54
astriddavina54
Jan 03, 2023

Do you suspect your spouse of cheating, are you being overly paranoid or seeing signs of infidelity…Then he sure is cheating: I was in that exact same position when I met Henry through my best friend James who helped me hack into my boyfriend’s phone, it was like a miracle when he helped me clone my boyfriend’s phone and I got first-hand information from his phone. Now I get all his incoming and outgoing text messages, emails, call logs, web browsing history, photos and videos, instant messengers(facebook, whatsapp, bbm, IG etc) , GPS locations, phone taps to get live transmissions on all phone conversations. if you need help contact his gmail on , Henryclarkethicalhacker@gmail.com, and you can also , whatsap…


Like

Hey everyone , I don’t really know much about this hacking things but I can direct you to a professional hacking company who helped me to track and hack my boyfriend’s iPhone and his Facebook respectively.. If you need to check on your partner’s sincerity, employee’s honesty, recover your email passwords, Social networks (i.e Facebook, Twitter, IG), change your school grades, clear your criminal records, gain access to bank accounts,spy on phone. you can just contact them at … Their charges are minimal and negotiable contact them at Henryclarkethicalhacker @ gmail, com]..tell him you are from me or text him or whatsapp +1 8 1 3 4 2 1 1 3 2 6…. You can thank me later.


Like
bottom of page