welcome to netwrkspider

Monday, May 15, 2017

WannaCry DLL operations

Reversing WannaCry DLL operations.


1) Checks to see if task already running by attempting to open mutex with name MsWinZonesCacheCounterMutexA

If already exists, app exits

2) Obtains name of current directory.

3) Reads 780 bytes of information from c.wnry which it expects in current directory. This has
bitcoin and TOR info.

4) Checks if running as LocalSystem. Sets a flag used later when running @[email protected]

5) Resolves api from advapi32.dll

  CryptAcquireContextA
  CryptImportKey
  CryptDestroyKey
  CryptEncrypt
  CryptDecrypt
  CryptGenKey

6) Resolves api from kernel32.dll

  CreateFileW
  WriteFile
  ReadFile
  MoveFileW
  MoveFileExW
  DeleteFileW
  CloseHandle

7) Initializes names of files

00000000.res   - C2 communications
00000000.pky   - Public key used by the ransomware to encrypt the generated AES keys that are used to encrypt the user’s files
00000000.eky   - Encryption key for the t.wnry file which stores the actual file encryption component used by the ransomware.
                 It is encrypted using the public key that belongs to a private key embedded inside the ransomware.


8) creates mutex with name MsWinZonesCacheCounterMutexA and sets the security
ACL to allow EVERYONE full access


9) tries to open 00000000.dky. if available, will import key into Crypto API object.
presumably this would be decryption key from the authors of ransomware..


10) if cannot open *.dky file, will generate new RSA key pair of 2048-bits.
Public key is exported as blob and saved to 00000000.pky
Private key is exported as blob and encrypted with ransomware public key before being saved to 00000000.eky

The RSA public key used to encrypt the users RSA key pair is embedded inside the DLL.

unsigned char wc_key1[] =
{
  0x06, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53,
  0x41, 0x31, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
  0x75, 0x97, 0x4C, 0x3B, 0x84, 0x46, 0xDE, 0x2C, 0x2A, 0xF4,
  0x95, 0xA8, 0x5D, 0xC0, 0xCD, 0x6D, 0xDA, 0xD7, 0xD4, 0x92,
  0x1E, 0x13, 0x82, 0x34, 0x6A, 0x70, 0x8D, 0x8F, 0x7C, 0xF7,
  0x04, 0x92, 0x55, 0x7F, 0xF1, 0xA2, 0x27, 0xB2, 0x9E, 0x41,
  0xAC, 0x90, 0x80, 0x91, 0x18, 0x93, 0xC2, 0xB1, 0x7B, 0xAD,
  0x2B, 0xF3, 0xFF, 0xAF, 0xDB, 0x2B, 0x51, 0xBE, 0x1D, 0xA3,
  0x27, 0xE3, 0xA7, 0x57, 0x08, 0x5A, 0xBE, 0xC1, 0x1D, 0xF6,
  0x04, 0xF8, 0x1C, 0xBE, 0x5B, 0xB1, 0x67, 0xFB, 0xE4, 0xC8,
  0xDA, 0x75, 0x00, 0x70, 0xB1, 0x17, 0x70, 0x24, 0x6C, 0x09,
  0x63, 0x74, 0xAC, 0x4B, 0x0A, 0x1D, 0x71, 0xAE, 0x7F, 0xAE,
  0x65, 0xB8, 0xC5, 0x86, 0x79, 0xC5, 0x7E, 0x9F, 0x98, 0x60,
  0x4C, 0x52, 0xB9, 0x29, 0x62, 0xCB, 0x23, 0x29, 0xED, 0x31,
  0x91, 0x74, 0x7B, 0x7B, 0x0B, 0x26, 0x1B, 0xF2, 0x7D, 0x67,
  0xBF, 0xDA, 0x7A, 0x40, 0xDA, 0xF2, 0x61, 0x4D, 0x94, 0xA5,
  0x7D, 0xAD, 0x59, 0x6B, 0xAD, 0x9E, 0xA3, 0x3A, 0x39, 0xC6,
  0x5B, 0x6E, 0x9F, 0xD2, 0xBB, 0x36, 0xB5, 0xF5, 0xD2, 0x65,
  0xF5, 0x2C, 0x30, 0xD8, 0xC1, 0x17, 0xBD, 0xAF, 0x28, 0x00,
  0x96, 0x20, 0x46, 0xA7, 0x2D, 0x62, 0x03, 0x0C, 0xD7, 0xD0,
  0x75, 0xA0, 0x0B, 0x07, 0xEA, 0xD4, 0x1F, 0xCA, 0xE8, 0xD9,
  0x4E, 0xDB, 0x38, 0xF2, 0x26, 0x75, 0xCB, 0x12, 0xA6, 0x88,
  0x70, 0x9B, 0xE1, 0xEA, 0x32, 0xDC, 0xF8, 0x71, 0x72, 0x50,
  0x41, 0xE6, 0x17, 0x81, 0x68, 0x27, 0x42, 0x8E, 0xDF, 0xE5,
  0xDE, 0xA1, 0x72, 0xD9, 0x3B, 0xFB, 0xE5, 0x9D, 0x30, 0x11,
  0x69, 0x92, 0xCD, 0x60, 0x2B, 0xE2, 0xD5, 0x46, 0x3C, 0x28,
  0xCF, 0x9D, 0x30, 0x4A, 0xF7, 0xAD, 0xB9, 0xFB, 0x0F, 0x91,
  0xFE, 0x2E, 0xBE, 0x18, 0xF1, 0xCE
};

The AES-128 key generated for each file is derived from CryptGenRandom  which
is cryptographically secure and is not known to have any weakness.

The AES keys are encrypted using the users public key in *.pky.
In order to decrypt, we need the users private key which is
encrypted using a public key owned by the ransomware authors.

Presumably what authors do is decrypt the users private key in *.eky file
using their private key and then send the user a *.dky file
to decrypt files.

WANNACRY RSA keys in PEM format 


-----BEGIN PRIVATE KEY-----
MIIEzAIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDvz+6DC3rbkfGw
yN1gNs9NhfJkNpzMAIRR7ZYg/x6kvtxmcsfWA3TeoygGW8lSpSf53/wPhEVgbYGE
VbBeTI/3zNZtEbHkyCSo7qHyYQoSWbJqbDqFZ3aRjFAnXAaXZGkDN5ZI5Zar16jw
0XcwLdMToKOfzf6R34YKjJ8KiPVOuF0COglhPLEMT2eJHY83gMmJNgHJnMFsDdVe
iGS+jXG8G2MBYBixAoLCqpuC3sRoCpOQyvaJKJ4nE18F1lIdbSVxQ26r++Ov5/ET
IS4/E51wO/1q1RSrHBhhgFt3tsmD9rRYBVYnsOx7UecV9FAazuHvqTLtX9oen9kK
nAQrTStDAgMBAAECggEBAMeL6PbIJanxDgDBk1vNH8BtNd3nh59EytX1cZfxUYla
e8EPv3M4mxXrA5IO7D3FybblhzNOKABt/nikaMZ+xMk4fDBzqegqFj8vmjg6QQw1
8P0XI7b/+axw6f1mWOG+npcbuQTdbft9z0jbs2a2qs3JPH3sBelR6pJ6opg8kIq3
x+DwTGw0XZbFBArggCXtC/nhBeZbFjaGNdeWhQKwyR5p3mzWYNfwsOOzidyznKSd
v6KGpg7I4htRL6RpBfw9HoFOYpP98V+rVokzNWJuBnlcpeByACKqfxX5PMZbWXIJ
z9qgwBDtpw8CawI2HJwqvx0o78pLqjLJQdKrGCqLNTECgYEA+04DlI84yI24JqHN
gvax+7RhQK9AnyN+bNg5bNYGw1zsKxv77AxlThc9HJCI1EgkXrzNZLl5SzZs2cng
PSDni60wZuQ1PbMujd9dkzBI6DTMk99tC+aKuLItCELkxDz5HOFAnGRIBUyK1l+1
r5gMvklb83ivAr4O+dmGrtoS1xkCgYEA9ErzAWMkz+7Hkuy6PDWN7riBSfA7fIHN
QV/O1iP1TkHz01MSgxMtzIW9MK4s5w8C+ikrTe7N6coDnr2mhPORtDshMacXULl7
nOTXyyiJ6Vj+zA0wQKpqxKUt6p8f5td24t48KYF5NiO3ILBOPwG1HZu9Na0hJd/7
5/dG3V4X7LsCgYBNtQTkZhkP4sqjn3q12WSVyWQdJVPdIZORQpcXMWMr+8rHVcLj
bb3RlNv/vi2hPqGIbecxEy0PdcfY3FSrckZG6YnC9yQDbSmjEwOTZOXWb6UmwHqu
qF4S2H2WRWEJ0TTSmlBpS5T9lnqD6Vp77o9aM8LsGVA8j9p/paTA4ova2QKBgHpG
ZXmFSXC2YLheuxzV5XPecAA1OWEpizY0oU+38dm40zUsOHDZEax0KG0MUTdZ4TCb
mKxKYlCpp8Q1wvp6+6wNiKDUtKvYG1I9jPGIGfdtbyNtWoCTjBtfXis4eHxPzpbh
i5Vu09/QYqH+/Ts2PJRUVpFeVeAiS3Eg6Rx2M11vAoGALiV9fnzHRM+0lrsgkGNm
l4HiH38NYj7xBQE68bqFWf206Ztr/0S2JV2cPFm/yO7CN+/4G5O+FHqV09P/QGcj
jeGAWnn++gobKy53OFguXy1PLzLKfeLsQ52qLaa5PLGtk4Kd3FOaFs4oWdKJp4e5
PfhFjlV3/G1AQ4QFEszWgZSgDTALBgNVHQ8xBAMCABA=
-----END PRIVATE KEY-----


-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA78/ugwt625HxsMjdYDbP
TYXyZDaczACEUe2WIP8epL7cZnLH1gN03qMoBlvJUqUn+d/8D4RFYG2BhFWwXkyP
98zWbRGx5MgkqO6h8mEKElmyamw6hWd2kYxQJ1wGl2RpAzeWSOWWq9eo8NF3MC3T
E6Cjn83+kd+GCoyfCoj1TrhdAjoJYTyxDE9niR2PN4DJiTYByZzBbA3VXohkvo1x
vBtjAWAYsQKCwqqbgt7EaAqTkMr2iSieJxNfBdZSHW0lcUNuq/vjr+fxEyEuPxOd
cDv9atUUqxwYYYBbd7bJg/a0WAVWJ7Dse1HnFfRQGs7h76ky7V/aHp/ZCpwEK00r
QwIDAQAB
-----END PUBLIC KEY-----





4 comments:

Max said...

You’re so cool! I don’t suppose I’ve read anything like this before. So nice to find somebody with some original thoughts on this subject. Really! Thank you for starting this up. This website is something that is needed on the web, someone with a little originality. Useful job for bringing something new to the internet!
download drastic ds emulator apk

Virus Removal Guidelines said...

So if your system is infected by any type of malware, don’t panic. Just follow the instructions provided in our website Virus Removal to get rid of the nasty system infection and keep your system risk free.

Unknown said...

Thank you ... nowhere did I find such a simple explanation.

Jim said...

Thanks for the keys. Hope it helps in the future cases of ransomware data recovery .