Reverse engineering is one of the most sought-after and valuable cybersecurity/information security skills. But few people have developed their skill level to mastery of this highly sought-after skill. Ghidra is a relatively new and free reverse engineering tool offered by the NSA, the American spy agency.
In this tutorial, we'll look at one of the most notorious ransomware viruses in history: WannaCry. It infects more than 300,000 computers around the world and could have wreaked havoc if it weren't for the work and skills of Marcus Hutchens (aka MalwareTech). Marcus Hutchens obtained a sample of the malware and immediately began examining its code. In it, he discovers what is commonly referred to as killswitch. In fact, what he found was the URL that would be used for the Command and Control (C&C) of the ransomware. When he realized that the URL hadn't been registered yet, he registered. By doing so, he saved the internet by denying ransomware authors control over their malware.
Here, we'll look at the initial infection vector that the malware looks for URLs and tries to understand how it launches its malicious campaign.
#1. Prepare your environment and install Ghidra
For this tutorial, I recommend that you use a virtual machine with Kali or another operating system. This is to ensure that you don't accidentally release WannaCy into your other systems or networks (which is generally good practice when dealing with malware). Next, download WannaCry. You can get it from many places, such as VirusTotal.
Then launch Ghidra
Then import the sample file.
Then start the analysis:
Next, there will be options to detail the analysis. Keep all the defaults and add the Decompiler Parameter ID (which will create parameters and local variables for a function.) This can add a significant amount of analysis time for large files, but for WannaCry, this shouldn't be a problem).
When Ghidra analyzes WannaCry, you may receive the following error message. Leave it alone, just click "OK".
When the analysis is complete, it looks like this:
#2、查找Main()函数
The next step is to look for the function that starts the malware WannaCry. As we noted when loading the malware into Ghidra, WannaCry is a portable executable file (PE). Every Windows program has an entry point, usually named WinMain or wWinMain. See the Microsoft documentation below.
When we go to the symbol tree and expand the functions folder, we don't find the WinMain or wWinMain functions, but we see the entry function. This may serve the same purpose as WinMain(). Let's check it out.
Double-click on it and it will appear in the list window and the decompilation window.
#3、查找"killswitch"
By scanning the code for the decompilation window, we can see that this function calls another function, FUN_00408140(). Double-click on it to analyze it.
Then you will see a URL in the list window and the decompilation window.
It seems to put the URL into a variable called puVar3.
Moving on, we can see a reference to the InternetOpenUrlA function.
We can search through Microsoft Technet and see that the InternetOpenUrlA function calls and opens the specified URL, as you might expect.
Below InternetOpenUrlA, we see a couple of lines that use InternetCloseHandle. These specify that if iVar2 is 0, close the handle and run FUN_00408090(), otherwise close the handle and terminate the program.
This is what Marcus Hutchins noticed when he first examined and analyzed WannaCry. This is the URL for Command and Control (C&C). If the program tries to access the URL and returns 0, the program automatically terminates. If it is not terminated, FUN_00408140() is executed. Let's focus on FUN_00408140().
#4. Procedural flow
In the next step, let's follow the flow of FUN_00408140(). Locate the Window tab at the top of Ghidra and click Function Call Graph.
Ghidra generated for us an easy-to-read flowchart of calls from the function, both upstream and downstream. You can see that the entry function is upstream of the FUN 00408140, and downstream is InternetOpenA, InternetOpenUrlA, InternetCloseHandle, and FUN_00408090
Back in the decompilation window, let's double-click FUN_00408090() to enter and analyze it.
Note that the decompiler shows that the malware is trying to call the OpenServiceA function. This includes the argument to turn on the mssecv2.0_004312fc. This seems to open up the Microsoft security service. It's funny...
When we searched Microsoft's Technet, we found that no such service exists. The malware is launching a new service masquerading as a legitimate Microsoft security service to disguise its true nature.
#本节概括
The Wannacry ransomware has the potential to wreak a devastating blow to the internet in 2017. It exploits the then-newly released EternalBlue vulnerability to get into computer systems and then encrypts all data until they pay the ransom. Wannacry was developed by the North Korean APT, who failed to mask or obfuscate the malware and, most importantly, did not register a C&C domain. Thanks to Marcus Hutchins, he detected the killswitch and disarmed the ransomware for further infection, mitigating its effects.
#说明
本文由合天网安实验室编译,如需转载,请注明来源 原文地址:Reverse Engineering Malware, Ghidra Part 3: Analyzing the WannaCry Ransomware (hackers-arise.com)
About HitSky Cybersecurity Laboratory
Hitsky Cyber Security Lab (www.hetianlab.com) - a leading hands-on cyber security online education platform in China
Real environment, online practice to learn cyber security; The experimental content covers: system security, software security, network security, web security, mobile security, CTF, forensic analysis, penetration testing, network security awareness education, etc.