Lab: Malware Analysis

By Drs. Anthony Vance and Dave Eargle

This lab uses the following VMs:
  • Windows

Overview

In this lab, you will examine and run live malware called WannaCry.

Take a look at the reading assigned for the malware topic. It provides library-access to the first introductory chapter of “Practical Malware Analysis – The Hands-On Guide to Dissecting Malicious Software” by Michael Sikorski and Andrew Honig. The book is accessible for beginners, and is also a handy reference for more advanced analysts.

Analyze the Malware

In this lab, you’ll examine the malware WannaCry. This program made international headlines last summer when it wreaked havoc across the world before being disabled by malware analyst Marcus Hutchins, aka MalwareTech.

WannaCry is ransomware that encrypts the victim’s files and demands ransom in order to decrypt. But due to a programming error, WannaCry does not decrypt victim’s files even after the ransom is paid.

Safety considerations

It is possible for WannaCry to “escape” a virtual machine and spread to other networks if two conditions are met:

  1. The virtual machine has a network adapter that gives it access to other machines on a network
  2. The other machines on that network are not patched against WannaCry’s spreading mechanism.

For this lab, you will examine WannaCry within the Windows VM running inside your Kali Linux virtual machine that is not susceptible to WannaCry. Therefore, your personal laptop will not be at risk of being encrypted by WannaCry as long as you don’t download WannaCry to your personal laptop.

Important: Do not copy WannaCry from the Windows VM to your personal computer.

For #2 – This version of WannaCry uses the EternalBlue exploit to spread. Eternal Blue was developed by the NSA, and stolen and leaked by the Shadow Brokers, and subsequently picked up by North Korean agents and used in WannaCry. Microsoft issued a patch for EternalBlue in March 2017.

Heads up! Make sure that you have taken a snapshot of your Windows VM before proceeding. Having one will let you undo the messed-up state after you run the malware. See here for how to create and use snapshots with virt-manager.

Preliminary Analysis

  1. From your Windows VM within Kali, download the worm + loader executable from here (look for the 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe.zip link).

  2. Extract the malware by right-clicking the folder, choosing Extract all..., and entering the password infected. This will create a new folder called “24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe.zip”, inside of which is a 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe file. Do not run this file yet!

    This is the dropper and spreader only. Technically, it performs no encryption.

    A dropper “is a special type of [malware]. Droppers carry payload to the victim system within itself. Payload is frequently compressed and encrypted or obfuscated. Once executed, a dropper extracts the payload from [itself] and installs it on a victim system (i.e., drops it on the system–which explains the term used for this type of infector). Unlike droppers, downloaders – another type of infector–doesn’t carry payload within itself but rather downloads it from a remote server” (Rootkits and Bootkits, Matrosov et al. 2019; p. 13). In the case of Wannacry, it has stashed inside of it the Wannacry encryptor. Its job is to drop the encryptor on a host, and run it.

    A spreader is malware component that spreads the malware to other computers on a network. In the case of Wannacry, it scans the network and infects as many other machines as it can. The dropper and spreader are the same file.

  3. Navigate to the extracted 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe folder (not the zipped one), and open a cmd prompt in that path by holding down the shift key + right-clicking, then selecting “Open PowerShell window here.”

  4. Hash the exe using the commands, all on one line (Use tab-completion!):

    SHA-256:

    get-hash ./24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe

    MD5:

    get-hash -algorithm MD5 ./24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe

  5. Google the hashes to see what comes up. (You can copy them to the clipboard from a cmd prompt by highlighting them and then right-clicking the highlighted text.)
  6. Go to VirusTotal.com and either search for the hash, or upload the .exe file. If you do the latter, click the “View last analysis” button. Both approaches should return the same results.

    VirusTotal.com can run files and URLs through a barrage of antivirus programs to detect malicious files. This can be much more effective than checking a file against only one or two detection programs. However, people who create viruses also use this site to see whether their malicious code flags, and tweak the code until it comes up clean. It is not uncommon for a piece of malware to only turn up a few hits in VirusTotal.

    Question: What does Ad-Aware report this hash to be?
  7. Browse to the website hybrid-analysis.com, and click on “Select file,” and upload the WannaCry worm file (the .exe) – or search for its hash. Hybrid-analysis will check the hash of the file against previously analyzed files.

    Select any of the reports that are not for a quickscan environment.

    Note the wide range of information that these respots provide about the executable. Examine the IP address and domain that this malware attempt to access – see the “Network Analysis” section (accessible via the menu on the right-hand side), and then the “Contacted Hosts” section. Keep this IP address in mind.

    Question: What IP address does the spreader attempt to access?

Now we will manually perform some of the analyses that hybrid-analysis performs, in order to get a hands-on feel for the work involved.

Static Analysis

Static Analysis is usually the first step in malware analysis. It involves gathering as much information as possible from a potential malware file and determining its functionality, purpose, and identifying traits to the greatest degree possible. Static analysis does not involve running the malware file, and thus is less risky than dynamic analysis. However, caution must be used here (and in all stages of analysis), as certain analysis tools may execute the malware without warning.

Using the Strings Program

As its name implies, strings is a command-line tool that will parse through a file and pull out any character strings in either ASCII or Unicode. The result of running this tool can tell you many things about potential malware:

  • Error messages can give telling information about the functionality of a program.
  • IP addresses that the program will call to.
  • Windows built-in library function files (DLLs) that the program will try to access.

In this lab, we will use several tools from a set of tools developed in 1996 which still rocks called sysinternals.

  • Download strings from here and extract the downloaded zip file.
  • Copy-paste strings.exe into the C:\bin directory. (Create this directory if it does not exist.)
  • For convenience, add the C:\bin directory to your cmd path which will let you run the commands in that directory without having to reference the entire path to their location. Run the following from a Powershell terminal (Windows searchbar > “powershell”):

    [Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\bin", [EnvironmentVariableTarget]::User)
    
  • Now run the strings program to see a list of options and commands. From a new cmd prompt opened after adding c:\bin to the path, confirm that you can run strings:

    strings
    

    Look at its options.

  • From a cmd prompt in the directory where 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe is located, run the following:

    strings -n 12 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe > output.txt
    

    Then, open output.txt with notepad:

    notepad output.txt        
    

    The “-n” option means “minimum string length.”

    You may recognize this strings output from the hybrid-analysis report.

    Use tab-completion to fill out that filename, for crying out loud. Do not copy-paste. If you keep copy-pasting, I will turn all code-snippets on my site into screenshots to spite you.

    Also, a convenient shortcut to opening a Windows shell in a certain directory is to use Windows Explorer (the graphical file explorer thing) to navigate to where you want to go, then right-click in the white area in that directory listing, and choose “Open PowerShell window here”. PowerShell can do everything a cmd prompt can do, and more.

    Search through output.txt (ctrl+f) for a http:// url. This url is the “killswitch” domain which, when registered, blocked the wannacry spreader from doing its thing. See the comic on this page to understand in four simple comic panels the likely facepalm reason why that functionality is even in the spreader in the first place.

    Question: What is the killswitch domain for this worm?

Resource Hacker

Resource Hacker is another useful tool that can often pull information from a malware sample without executing the malware. Windows application development tools will set values in this section, but developers can override and set whatever information they want, if they so desire. Regardless, examining the values can sometimes give hints about and insight into the malware.

  1. Download “Resource Hacker” from here, and install it. Open “Resource Hacker” by searching for it from the Windows search bar.
  2. Load the wannacry worm into resource hacker.
  3. Navigate through the folder tree structure to see information about the malware.

    1. Examine the “Version Info” node, and look at the “FileVersion”. This can be helpful to track to note versions of malware that may be floating around.

      Question: What FileVersion does this malware claim to be?

      And look at the CompanyName, FileDescription, and LegalCopyright.

      Question: What is the name of the company that this malware claims is its author?
    2. Applications can embed applications within their resource section, which is accessible via the navbar on the left under the R tree. The loader stores the wannacry encryptor here. When the loader runs, if the killswitch is not triggered, it will extract the embedded resource payload, install it, and run it. Let’s extract it manually and play with it, eh?

      1. Expand the “R” node and right-click the star range. Choose Save Resources to a BIN file (a BIN file is another name for a .exe in Windows). Save it where you like. This is the wannacry encryptor. If you run this, say goodbye to your vm files. Rename it to be wannacry.exe for your convenience, if you feel like it.

Strings again, this time on the wannacry encryptor

  1. From a cmd prompt in the directory where your newly extracted wannacry.exe is located, run the following:

    strings -n 12 wannacry.exe > output.txt
    notepad output.txt
    

    Read through the output.txt file and look for sensical strings. Some malware can use “packing” tricks to make it harder for malware analysts to perform static analysis (read more about it here). “Packing” is a form of compressing that is sometimes also combined with encryption. If this malware were “packed”, strings would find no sensical text inside. If it is not packed, you will see English words which are names of Windows functions or custom that the malware may call internally.

    Question: Is this malware likely "packed", or is it "unpacked"?
    Consider. If you did not know what this malware did, what would seeing calls in the strings output to Windows functions such as "CryptDecrypt", "CryptEncrypt", "CryptDestroyKey", and "CryptImportKey" tell you? Dadgum right, got ransomware on our dadgum hands.

Analyzing DLLs with Dependency Walker

A few Dynamic Linked Library (dll – the Windows function library calls) appeared when we ran the Strings program above. We can use another program, Dependency Walker, to obtain more information about those dlls and their use by the malware. Dynamic linking is an area that gives a great deal of insight into how a program functions, and it is of particular importance to malware analysis.

  1. Download Dependency Walker from http://www.dependencywalker.com/. Extract the zip file contents, and run depends.exe. When the program loads, use the “open” button on the top-left and load wanncry.exe.

  2. There’s a lot of information here, so let’s step through it.

    • The top-left pane shows all of the DLL files that are called by the WannaCry program.
    • The top-right pane shows the functions that are called by the selected DLL.
    • The right-middle pane shows all possible functions that could be called by the selected DLL, along with their ordinal values; a function can either be called by its name or by the ordinal value, so if you see an ordinal value called you can use this list to check its functionality. Calling functions by ordinal allows a program to call the function without ever using its name in the code. It can be a useful obfuscation technique.
    • The bottom two panes show additional information.

    Spend some time looking through the different DLLs.

    Question: Under ADVAPI32.DLL, find BCRYPT.DLL. What is function for ordinal value 37, i.e., the 37th function from the top?
    Bcrypt.dll is a family of functions, documented and listed [here](https://docs.microsoft.com/en-us/windows/desktop/api/bcrypt/). Bcrypt.dll is not the same as the blowcrypt family of algorithms that we studied earlier in the semester. bcrypt.dll lamely refers to "bestcrypt", aka "Cryptography: Next Generation (CNG)" (see here). It is the built-in Windows way to perform encryption. And yes, that means that Wannacry is lamely using Windows functions, instead of making their own functions, to encrypt.

Dynamic Analysis of WannaCry

Now we come to the fun part. Dynamic Analysis is used to gather information about a file that could not be gathered during static analysis. Dynamic Analysis is inherently riskier than static analysis, as it involves investigating malware as it runs, or the state of the host machine after the malware has executed. The drawbacks of dynamic analysis are that (1) malware may behave differently in a VM environment if the malware detects that it is in such a setting; (2) malware may behave differently depending on available network and Internet connections, and (3) running malware may potentially expose the host or other hosts on a network to risk, as mentioned previously. But don’t worry about #3, you’ll be fine if you follow these instructions.

Grab some more sysinternals tools:

Process Monitor

You can get basic information from Task Manager in Windows, but Process Monitor allows you to track every action of a given process. Be warned that Process Manager generates a lot of data, all of which it stores in RAM. So, it may quickly fill up the memory of a VM and crash it if left to run for a long time.

No one in their right mind uses Process Monitor without applying some filters. We will apply filters soon to the gigantic pile of data pouring in.

Final reminder! Make sure that you have a snapshot of your nice and un-ransomware'd vm before proceeding!
  1. Launch Process Monitor. From within Process Monitor, launch the Process Tree (Tools > Process Tree).
  2. With Process Monitor running, run the 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe. OH NO, YOU ARE UNDER ATTACK. Or are you?
  3. Stop Process Monitor from collecting (File > Capture Events to toggle). Examine the Process Tree. Note the entry for 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe. Right-click it and Add Process to Include Filter. Back in the main process monitor view, we are now looking at only events associated with our malware worm.
  4. In the icon menu on the top of Process Monitor, deselect all icons in the far-right section except for the third from the right – the one with two computers and who-knows-what-shape on top of them. This will filter to show only network calls. This should at least one TCP Connect operation. This is the loader calling out to the killswitch domain. If the call resolves successfully, then the malware immediately exits without doing anything else.

    Question: What was the value of the "Result" field for the calls to 104.17.41.137?

Disable Network Adapter and run dropper again

The worm won’t killswitch if we don’t have an internet connection! Before we proceed, disable the VM’s network adapters. To do this, from the VM’s “Details” menu, select the NIC, and change the “Link State” to “inactive.” Once you have done so, the Windows toolbar should show a broken ethernet connection icon. This is desirable.

Open Process Monitor again. Do the following from the menu options:

  • Filter > Reset Filter
  • Edit > Clear display
  • File > Capture Events (to enable capturing)
  1. With Process Monitor running, right-click 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c.exe and choose “Run as Administrator.” OH NO, YOU ARE UNDER ATTACK. YES THIS TIME YOU REALLY ARE. TIME TO CRY.

  2. The dropper installed the file stored in its R resource section into the C:\Windows\ directory, naming it tasksche.exe, and then ran it. This is the wannacry encryptor.

    Question: What is the sha256 hash of C:\Windows\tasksche.exe?
  3. Well, what does this encryptor do? It scans through the entire drive for files with interesting file extensions, and it encrypts them, storing an encrypted version of the decryption key in header info in the file itself. The encrypted variants of all of your precious files have a .WNCRY extension.

    strings in tasksche.exe shows that it is looking for files with the following extensions:

    .der .pfx .key .crt .csr .p12 .pem .odt .ott .sxw .stw .uot .3ds .max .3dm .ods .ots .sxc .stc .dif .slk .wb2 .odp .otp .sxd 
    .std .uop .odg .otg .sxm .mml .lay .lay6 .asc .sqlite3 .sqlitedb .sql .accdb .mdb .db .dbf .odb .frm .myd .myi .ibd .mdf .ldf 
    .sln .suo .cs .cpp .pas .asm .js .cmd .bat .ps1 .vbs .vb .pl .dip .dch .sch .brd .jsp .php .asp .rb .java .jar .class .sh .mp3 
    .wav .swf .fla .wmv .mpg .vob .mpeg .asf .avi .mov .mp4 .3gp .mkv .3g2 .flv .wma .mid .m3u .m4u .djvu .svg .ai .psd .nef .tiff 
    .tif .cgm .raw .gif .png .bmp .jpg .jpeg .vcd .iso .backup .zip .rar .7z .gz .tgz .tar .bak .tbk .bz2 .PAQ .ARC .aes .gpg .vmx 
    .vmdk .vdi .sldm .sldx .sti .sxi .602 .hwp .snt .onetoc2 .dwg .pdf .wk1 .wks .123 .rtf .csv .txt .vsdx .vsd .edb .eml .msg .ost 
    .pst .potm .potx .ppam .ppsx .ppsm .pps .pot .pptm .pptx .ppt .xltm .xltx .xlc .xlm .xlt .xlw .xlsb .xlsm .xlsx .xls .dotx .dotm 
    .dot .docm .docb .docx .doc
    

    It then pops up an annoying notification about your ransomed state which will continue to pop up every sixty seconds or so. Best way to deal with that popup is to not “X” it out, but rather, drag it to a corner of your screen, almost out of sight.

    Right-click one of the encrypted files on your desktop, and “Edit in Notepad++” to examine the contents. What used to be plaintext aint so plain anymore, ‘tis it? The first 8 bytes of any file encrypted by wannacry are always the same. This is wannacry’s “magic number” You can see it in notepad++ or in a hex examiner such as HxD (installed on the VM).

    Question: What is the magic number for a wannacry-encrypted file?

Decrypting the WannaCrypted files

Just kidding. You can’t.

Actually, you can with two long-shots.

  1. A decryption tool exists which can extract the prime numbers from memory which were used in the encryption. However, huge caveats: it relies on a Windows encryption implementation bug that only only works for Windows OS versions less than 10, (e.g., XP through 7), and “it relies on current running memory so once you reboot it will be gone and if you’ve done too much on the system since infection, it’s possible the key won’t be found (because it’s been overwritten by data from other applications using the same memory space).”

  2. Also, there’s a chance that if you pay the ransom, you will get a response… but, “Those who do shouldn’t expect a quick response – or any response at all. Even after payment, the ransomware doesn’t automatically release your computer and decrypt your files, according to security researchers. Instead, victims have to wait and hope WannaCry’s developers will remotely free the hostage computer over the internet. It’s a process that’s entirely manual and contains a serious flaw: The hackers have no way to prove who paid off the ransom.”

Best defense against ransomware? Backups! Do you have one?

Bonus Reading!

In September 2018, the US Justice Department indicted a North Korean agent who participated in the WannaCry and Sony hacks.

Question: What is the name of the indicted agent?

References