« Back to Blog

Threat Spotlight: WannaCry EternalBlue Ransomware

By Cylance Threat Guidance Team

Introduction

Many people have felt the global impact of WannaCry - from late nights to a heightened sense of awareness, WannaCry has put many people on edge. Unfortunately, WannaCry will not be the last outbreak as assuredly as it wasn’t the first. Complex software systems will always have bugs. However, the knowledge, skill, and time needed to ferret those bugs out and develop them into exploits has increased significantly. With WannaCry, we’ve witnessed what can happen if those weaponized exploits are not safeguarded and handled like the dangerous weapons they are.

We are continuing to track the WannaCry ransomware plague and determine what can be learned from this global crisis. The folks at EndGame did an amazing job of breaking down the WannaCry ransomware worm. If you want a play-by-play analysis of the wormable variation, we highly recommend you dig into their post (after you’re done reading this, of course).

As a team, we’ve primarily been tracking coverage of WannaCry to ensure new variants are covered by our product. As a result, we’ve been slogging through a surprisingly large number of variations.

Here’s what we have discovered.

Primary Malicious Components

First, a quick overview of the WannaCry worm for those unfamiliar with the inner workings of this ransomware:

Worm (a.k.a. mssecsvc.exe)

The worm is the first-stage dropper and is responsible for the worming behavior of this ransomware. It is 3.6MB (3723264 bytes) in size, and contains the URL "kill-switch" along with the SMB exploit for MS17-10. It contains the second-stage dropper in the clear as a resource named 'R', Since the dropper is in the clear and not otherwise compressed or obfuscated, string-based detections made for the dropper will always hit on the worm too, unless other conditions are added to those rules.

The propagation works by randomly generating IP addresses and trying to connect and then exploit the remote system. We’ll go into detail later about how the exploit payload is created, but the key thing to know is that the payload is generated in memory and delivered over the network to the exploited process’s memory. Once code execution is passed to the payload, its sole purpose is to drop a copy of the worm to disk and execute it.

This is where most antivirus (AV) vendors, including Cylance®, will have an opportunity to prevent WannaCry. Unless, of course, the vendor hooks functions in kernel processes, which is a risky proposition and can even increase the attack surface.

If you want to know how we do against WannaCry, check out our video and our companion Cylance Vs. WannaCry piece (SPOILER: we do awesome).

VIDEO: Cylance vs. WannaCry/ WanaCrypt0r/EternalBlue Ransomware Worm

Dropper (a.k.a. tasksche.exe)

The dropper is the second-stage dropper. The file is 3.4MB (3514368 bytes) in size, with no kill-switch or spreading mechanism. It’s configured to run as a service by the worm or it can run on its own. It contains a password-protected archive in the resource section of the file that is typically named XIA.

Decryptor (a.k.a. @WanaDecryptor@)

The decryptor presents a graphical user interface to the end-user and demands payment. While not malicious, it may present a scary-looking dialog if double-clicked in isolation. This file is harmless without the other components of WannaCry, namely the language files and Tor client, and most importantly, the ransomware.

Ransomware (a.k.a. t.wnry)

Finally, the ransomware. This component presents itself as an encrypted blob while on disk. The ransomware can’t do any harm while in this state and must be loaded and decrypted by the dropper.

In-The-Wild Variants

If you’re following the WannaCry saga on social media, you might notice the confusion around new variants. As noted by the press early in the outbreak, the worm had a built-in kill switch that attempted a connection to a hardcoded domain. If it succeeded, the malware exited.

Naturally, all one needed to do was to modify this hardcoded string to start things up again and produce a new variant. So, researchers have been watching for new variants like hawks. However, by the end of the day on the Monday following the outbreak, no new significant outbreaks occurred. Security researcher Matt Suiche is registering new domains as they are discovered, but only two new domains appeared over the weekend and into Monday.

So, about those variants… we have roughly 53 worms, 44 droppers and 21 ransomwares at the time of this writing, all unique by hash. What’s going on? These are not true variants in the sense that they provide new functionality or changes to the way the malware works. In fact, the only variable portion of the worms and droppers is the resource section.

As noted last Friday by security researcher Zammis Clark, the malware constructs a DLL payload in memory using embedded x86 and x64 DLLs. That write-up mentions how the original worm is appended to the DLL, then highlights the area of the code in the DLL that extracts and runs the worm.

However, the extraction routine was not discussed in depth. Could there be something creating variability? Using this sample on VirusTotal as an example, we can inspect the payload creation code and discover the size (same as Clark’s analysis) and location of the DLL (Figure 1).

Figure 1. Payload Creation Routine in Worm

We can jump to the virtual offset in the file and IDA will helpfully show us the physical offset we need (Figure 2, note the red box). From there, it is a simple matter of carving out the file using any tool you prefer. 

I used Python to do something like this:

with (‘worm.exe’,’rb’) as file_handle1:

               with (‘embedded_dll.bin’,’wb’) as file_handle2:

                              file_handle2.write(file_handle1.read()[0xb020 : 0xb020+0x4060])

Figure 2. Exact Location of Embedded x86 DLL

Once extracted, we can have a look at the layout of the DLL. The resource section in the DLL indicates a much larger size than the physical size of the file (Figure 3). All the functional, non-corrupted worms we’ve seen are 3.6MB in size, so this provides plenty of headroom to append the binary.

Figure 3. Sections of Embedded x86 Payload (Note .rsrc Size of Raw Data)

However, creating the payload in this way would look weird on disk and present some anomalies from executable inspection tools. If the resource was extracted using the size of the resource returned by SizeOfResource, then, at best, you would get junk data from wherever the DLL resides in memory, and you’d probably more likely get an access violation. Remember, this DLL + payload will run inside kernel space on the exploited system. That kind of mistake could lead to a blue screen.

Alas, we are not so lucky. The malware author did their homework and prepended the file size of the worm to the payload. This allows the extraction DLL to read this value and exactly write the correct number of bytes when it runs on a remotely infected system (Figure 4). There appears to be no bug or flaw in this code that would lead to a variation in the worm.

Figure 4. Size Checks and Proper Extraction of Worm Payload

As noted by many researchers, it would be trivial to update the worm’s resource section with any payload you wanted. There is some structure there, but essentially what you have is an embedded executable. The worm indiscriminately extracts the payload and executes it. So! Maybe some bad actors have been creating new worms with different payloads.

Actually, in all the droppers we know about, the .text, .rdata, and .data sections are identical. Meaning, again, the only significant difference is in the resource section, which is different for each unique hash we have.

The resource section for the dropper is an encrypted ZIP archive. The dropper has very set expectations for the contents of this archive, so while it might be possible to repackage the file with updated contents, the name and type of each item would need to stay consistent. Again, the EndGame post provides a great overview of the role for each file.

One component, namely the decryptor, does present some variability in the .text (code) section, which means the binary may have slightly different code flow. Also, there is duplication in the other sections as well, resulting in unique hashes for the decryptor. Ultimately, the changes in the decryptor cascade to create variability in the dropper and the worm. The other components in the embedded archive have remained fairly consistent.

Conclusion

We wanted to get a clearer picture on the hash variance we were finding in the wild. Although there is plenty of opportunity and places to modify the wormable variant of WannaCrypt, we do not see any attempts to replace the payload of the worm or modify the functionality significantly. The repackaged ransomware appears primarily designed to introduce variability into the wild and prevent simple hash blacklists from slowing the spread.

Check out our video, where we show Wannacry in three scenarios:

1) On an unprotected single machine
2) On a single machine protected by CylancePROTECT®
3) Multiple victim machines with Cylance stopping further communication

If you use our endpoint protection product, CylancePROTECT, you were already protected from this attack and all variants. If you don't have CylancePROTECT, contact us to learn how our AI-driven solution can predict and prevent unknown and emerging threats.

Indicators of Compromise (IOCs)

Worm:

0DB91FF8822F1623FE36D712B5F56D339DC21008F1ECC617A5DE2F522039C5B3
11011A590796F6C52B046262F2F60694310FA71441363D9116ADA7248E58509A
11D0F63C06263F50B972287B4BBD1ABE0089BC993F73D75768B6B41E3D6F6D49
1214E010178A1BDAB5CE0EE9FE1BD2EF425F1A315798AFA1390A98F8E3857898
14F124F2DFF97CA2D0FA8C53F1225C5307B50B43B4A401D2A708B0C1C12584DC
16493ECC4C4BC5746ACBE96BD8AF001F733114070D694DB76EA7B5A0DE7AD0AB
1B974D46CDE9F6E837EC369120DD2727EB774CA58FA8D552B9BAEB2C41FC0CDC
1D55E742356C5318E59FF68111F0B6468FC75DAAD48D3CF9C277D8123B5BAAC3
1F14937CCB88737F786A247FC91EA99338F8F99A42852D8FBC3FDCE4D7B5CE75
22CCDF145E5792A22AD6349ABA37D960DB77AF7E0B6CAE826D228B8246705092
24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C
2C53CB08978C62CEBCB561CBC7EDF59592544C13CF60CC0EF317F94A9F48E1A2
31C2024D0DF684A968115E4C3FC5703EF0EA2DE1B69ECE581589E86BA084568A
3351C7E77D06B512CEDB8FBBF91C197BFF95479A346DE858699726B0FE6FB3F5
3463EA99389EF4836CFE0565539EE80C4C3A8159930C408F86147A59632D593A
38C6EFB48B32A3F22CC4C307E9043D59AEDB0E008300663F83803819E5F260B3
3BDB6C85D9B8D3024F47112C18BBB8E653F7624893E27AF8E0E226ACC92CC634
4186675CB6706F9D51167FB0F14CD3F8FCFB0065093F62B10A15F7D9A6C8D982
470DFC18E05C01EBD66FB8B320FF7E6E76D8017FEB530FB23B981982C737B490
4AC6310FBD64135AE28CFBD2A06B0370AABE7B7C11AD7213532236B53A554330
4E5E41E90191707C18C4DB385871EBC6C143663968E68994E65FD238025BCF33
55640108459B93E85C66C1F099B5E3DF145DA8700B0573FC7619B921D2CDE4A8
55E1F8362676A8F79C3AF8D1605F330D58443D0509888703F37EDFB77A5AEC28
565C4E1F84996C1CBF1DEC1AA301BCDA0CDCB1DF3A7C531CB574A0D35B17D706
5A7C7F50D61C3C3DE0CE6970F8B244186BF34BEF7ED193EB33005F3D66FE2545
5AD4EFD90DCDE01D26CC6F32F7CE3CE0B4D4951D4B94A19AA097341AFF2ACAEC
5DEE2AC983640D656F9C0EF2878EE34CDA5E82A52D3703F84278AC372877346D
67DB4C0C444758BD5DEBBB3AAD18E3CFCD3F04D51E9EAE8C633C0A6174E8D27C
6A1DA955B2EB6BE429B2E3B4B515436F5F76FD62802D4E2AA79DC63770D80BE0
6BF1839A7E72A92A2BB18FBEDF1873E4892B00EA4B122E48AE80FAC5048DB1A7
7BB9EA2C0F53FA96883C54FA4B107764A6319F6026E4574C9FEEC2CB7D9E7D21
942BD43D9E3FBCE9B110964B3B4AF284B62DA86B278B8145D97C455EE10A355C
99EF8C1BB5B4060958E6DB5B092DDD167E307A7CF34D366AFABDB5CEB1A9035D
9B60C622546DC45CCA64DF935B71C26DCF4886D6FA811944DBC4E23DB9335640
A02748C3078A897CFF8C4C66292662712D62E39B580465251BCA6851AB6931A3
AA62AFCBEC704531CE9707F5B076F611ABD365844C3E0A4A81F8C06739D6BB52
AC7F0FB9A7BB68640612567153A157E91D457095EADFD2A76D27A7F65C53BA82
B3C39AEB14425F137B5BD0FD7654F1D6A45C0E8518EF7E209AD63D8DC6D0BAC7
B47E281BFBEEB0758F8C625BED5C5A0D27EE8E0065CEEADD76B0010D226206F0
B4D607FAE7D9745F9CED081A92A2DCF96F2D0C72389A66E20059E021F0B58618
B66DB13D17AE8BCAF586180E3DCD1E2E0A084B6BC987AC829BBFF18C3BE7F8B4
BF446589A7208B81B436A0C0FE7E54C6E2994A80B07097BFEF6091AF3A4FE710
C354A9A0BBB975C15E884916DCE251807AAE788E68725B512A95F7B580828C64
CCE675D3970408C16A6E4FD559AAAC69C30A296CC55445835594A958FE5D831C
DF039CAF180D9C7BEFC8C4B47885231721005C02344824153C65E694BF17D7B8
E14F1A655D54254D06D51CD23A2FA57B6FFDF371CF6B828EE483B1B1D6D21079
E8450DD6F908B23C9CBD6011FE3D940B24C0420A208D6924E2D920F92C894A96
E9D1D718F760CE40F8C1D36F99ABBA247D8B4BCB12D6960B5E60997C896CDA19
EE52964B832E1A44B92A4F0E6CDE2E876D70131640856B120C0379FF8CC431AA
F0EB62D9726857DF9CCB8DC63187B6965D5AF28B9AD1DBD34891B72BF3FD4E38
F4918E6E0DD52A8636D1DCE97426C2FDA9EC0FF6B3CF898F36789B9B15AB5F01
F8812F1DEB8001F3B7672B6FC85640ECB123BC2304B563728E6235CCBE782D85
475B26964A4F222993BA13338EC9805A2D52506B42D5A8AAC9D4E409360B981A

Dropper:

01B628FA60560C0CB4A332818CB380A65D0616D19976C084E0C3EAA433288B88
09A46B3E1BE080745A6D8D88D6B5BD351B1C7586AE0DC94D0C238EE36421CAFA
0CAA1566E439C01D88C953382B26F9D2F7F279594EBE986C06E7781A71CF9D74
149601E15002F78866AB73033EB8577F11BD489A4CEA87B10C52A70FDF78D9FF
190D9C3E071A38CB26211BFFFEB6C4BB88BD74C6BF99DB9BB1F084C6A7E1DF4E
2134DD25D73096E4C0C88FD2496C1774B8F4D3A9D576B9060318D78CF31FEB69
2584E1521065E45EC3C17767C065429038FC6291C091097EA8B22C8A502C41DD
290F06EB156695165317A4B7F9668BE7AE18CF8322E4FC2AEEB0AF3DD6BC0801
29611B3B709C2FAAB693D1D6CB2D104F48F4EF0DFEE9D3E0D82E61673902934D
2A5F6043855A9BD09C9D765C438A33EFD0FBCA3C9199A68E73103EB3685A722C
2CEA9032615DF2E36A25BDC95542C2865A009589C8BD8BC612D903A268BE37B9
3857448D484E1257DC9F19E940B3422C5C8DDAC3FF759FA568087C6C5B4303F4
498B8B889BB1F02A377A6A8F0E39F9DB4E70CCCAD820C6E5BC5652E989AE6204
4C69F22DFD92B54FBC27F27948AF15958ADFBC607D68D6ED0FACA394C424CCEE
4E452D88EADD0CA11539D18BBF7A0EF243DC06C6DF230F5DBB7310DC00EC62E3
5366D1A9A5C277E382AD745E01909EFFA777731E448354389AB706E17A8A7577
55454390F7BE33AB5C11B5E0683800DD9A892CE136F1962B0989526FFF5592D5
593BBCC8F34047DA9960B8456094C0EAF69CAAF16F1626B813484207DF8BD8AF
5B4322EC672FDFEB292941057125D00AFCF1A904E31F9EC0FB9E650177DBA500
5E4E5966D893C1BA3FF427C893D6DDD635A117878DE265787EE96ABFE3E728F4
5F2B33DEEE53390913FD5FB3979685A3DB2A7A1EE872D47EFC4F8F7D9438341F
6843B32928FA10365C31A71BF7786F5576E731CC395576B23AF71EA26FDBA75F
7A515968C18102F5FA2D66573E94DC0D18745D9C5ABD5781D80BEC9B47960295
7C465EA7BCCCF4F94147ADD808F24629644BE11C0BA4823F16E8C19E0090F0FF
7E369022DA51937781B3EFE6C57F824F05CF43CBD66B4A24367A19488D2939E4
8C6C481E18B96EB4BCAE87CDD3AA104757CB1A19740BC145D73D653C34274C81
940DEC2039C7FCA4A08D08601971836916C6AD5193BE07A88506BA58E06D4B4D
9FB39F162C1E1EB55FBF38E670D5E329D84542D3DFCDC341A99F5D07C4B50977
A1D23DB1F1E3CC2C4AA02F33FEC96346D9D5D5039FFC2ED4A3C65C34B79C5D93
A74783BB813B2E053013A8AC9AFDC89D250C2C086BBE9F793BEC6B64BB95C9F4
BD7824D2D96ACA1F4260C92E6888C93EF6A64BD8F98D5A0EF0BBE217F0A3B9FA
C1F929AFA37253D28074E8FDAF62F0E3447CA3ED9B51203F676C1244B5B86955
C365DDAA345CFCAFF3D629505572A484CFF5221933D68E4A52130B8BB7BADAF9
C38EEA1588B8BFFE4E19A8AF09BFE17281E6E6AFC7E2FBBECEF3AF96DF9A347A
C8C2131E1D22BFF3EF6342254A43D658A3C5FC8081C4FFB7D9B0CED78B7892F1
D8A9879A99AC7B12E63E6BCAE7F965FBF1B63D892A8649AB1D6B08CE711F7127
E0EC1AD116D44030AD9EF5B51F18FF6160A227A46FFCF64693335C7FB946FAD6
E2D1E34C79295E1163481B3683633D031CAB9E086B9AE2AC5E30B08DEF1B0B47
E5C117233E22D08A547C278AE7027815E22C196A083679126AB9646C781ACB6C
ED01EBFBC9EB5BBEA545AF4D01BF5F1071661840480439C6E5BABE8E080E41AA
EF01BCC893DD06EF87C408DD5746FED32B104A9B62DC33657CC1DFA2033E1E8F
F5CBFF5C100866DD744DCBB68EE65E711F86C257DFCC41790A8F63759220881E
FF8C6A2BD919496AE639347611681259C60A21762F3411DA230998E443AA90CF
FF8FCDC4CAE2C9ED5207E53BB5BF1D97EEF8147977D2BDDFE8F55BE91410F32C

Decryptor:

B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
0C2D3094CE5F7B2D5AA1788503E37B8DB2E550D10A87650E6A0C4DCCA2AF8FF6
0F3EBD728DA6F28A5E8A6665EAEEF475E77D76F626233CD7CA0D79BCB9CC9578
0FF3CA7110A6E2E3E9AC9F6A419BC8F4AF43E79089D6F47E3868CD3CE86540D7
11FD66B4E1090C9AF7EA59DAF7F62FA6AE3090C10042AA0826EACB3E226636AD
39E4284F74BA4F057048ACEF80E7DBACE207B77F8F1D9BC11C89804C9775A6F0
3DCBB0C3EDE91F8F2E9EFB0680FE0D479FF9B9CD94906A86DEC415F760C163E1
4B76E54DE0243274F97430B26624C44694FBDE3289ED81A160E0754AB9F56F32
57C12D8573D2F3883A8A0BA14E3EEC02AC1C61DEE6B675B6C0D16E221C3777F4
5D8123DB7094540954061AB1FBC56EEDCD9E01110B62D0F54206E3E75A39776A
71DEACE25A88A120229B93E133AD54726044CB888A2858A441BF6913CAD6D668
78E3F87F31688355C0F398317B2D87D803BD87EE3656C5A7C80F0561EC8606DF
940A406FD97315C61A0333B41A3F8F69E057F683C33F99BF448DCCFC0B5781F2
9AE39945353BCD8DCB4DEF3DF1F975C39FFD37B8659239DA92291D5DF68D60A1
9CC32C94CE7DC6E48F86704625B6CDC0FDA0D2CD7AD769E4D0BB1776903E5A13
B9C5D4339809E0AD9A00D4D3DD26FDF44A32819A54ABF846BB9B560D81391C25
BC8136B40B4164AFCBCB4E14F6FD54CA02275FF75B674EB6FD0A8F436F9B1181
CA29DE1DC8817868C93E54B09F557FE14E40083C0955294DF5BD91F52BA469C8
DE1FB3F687161900F15243C0912A40BACF4DF938A718C75A73F80FFC3BF3A2D3
E7A39735EE8777473C7405A70F470A0E00D6266D3126D3AF59660E6A78DAB2CF
EEB9CD6A1C4B3949B2FF3134A77D6736B35977F951B9C7C911483B5CAEB1C1FB

Tags: