Threat Spotlight: Inside the WannaCry Attack

Introduction

Over the past few weeks, organizations and individuals have either felt or witnessed the impact of WannaCry as it has swept the globe, wreaking havoc and disrupting services for a range of public and private sector companies. WannaCry has been a highly prominent outbreak, due in part to the infection of high-profile targets, such as the National Health Service in the UK and Telefonica in Spain, and also due to the use of novel exploits developed by the NSA and subsequently leaked by the Shadow Brokers.

As discussed in a previous Threat Spotlight, Cylance has been actively tracking WannaCry to ensure that we protect against all variants discovered in-the-wild. Considering the impact, it was felt that a deep-dive analysis was required, documenting the techniques that made this ransomware such a prevalent and media centric threat.

Also, yes, you’re protected if you’re using Cylance.

Overview

WannaCry is highly modular in composition, comprising the following main components:

  • Dropper (mssecsvc.exe)
  • Worm payload DLL (loader.dll)
  • Ransomware service (tasksche.exe)
  • Ransomware payload DLL (t.wnry)
  • User-interface (@WanaDecryptor@.exe)
  • RDP process injection utility (taskse.exe)
  • File deletion utility (taskdl.exe)
  • Tor client bundle (tor-win32-0.2.9.10.zip)

The remainder of this article provides technical analysis of each of the components, outlining the complete life-cycle of the malware, from installation and propagation through to the ransomware payload and auxiliary modules.

Dropper

The worm-enabled version of WannaCry arrives as a 3.7 MB, 32-bit Portable Executable (PE) that comprises a self-extracting archive, embedded executable resource, an installation routine and a service dispatcher function responsible for executing the worm propagation mechanism. The initial entry-point of the malware contains a condition check, and will terminate execution if it can contact the following URL (Fig.1): 
hxxp://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea(dot)com.
 

Figure 1: Kill-Switch Check

This condition (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Cylance Threat Guidance Team. Read the original post at: https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-the-wannacry-attack.html