2017-5-25 | md5:8e45887c903dc0bf3178403c58547eb3 | стандартплюс.рф | xn--80aal3ahogdhcf0m.xn--p1ai sends Russian Shade Ransomware Malware Analysis and Unpacking

Hello shit lords,

I have decided to create a new more technical post on Shade Ransomware from a very recent sample.

The malware developers went through great lengths to encrypt their traffic using Tor SSL as well they used multiple stages of packing which can be a pain to work around to get the unpacked code. The downfalls of this ransomware is that it does not delete shadow copies and you are able to do a system restore to get your files back also there was no observed attempt at anti-sandbox or anti-debugging techniques. All the Tor network encryption seems like a waste when you fuck up this bad.

Dynamic Analysis:

This is my base system before running the ransomware in my Gentoo Qemu virtual machine


Opening up Process Hacker here with Wireshark Windows XP updates are off cause they are noisy as fuck.


Here I have executed the malware and it is starting to connect over Tor SSL as I mentioned earlier.


Here we observe some http traffic which is used to get the IP address of the victim and send it to the malware developers using whatismyipaddress[dot]com.


Again some more http traffic.


This malware likes to use threading to complete it’s tasks which is great if it wasn’t worthless to start with.


Here we can see the new desktop background with Russian and English translation. What gets me is usually Russian hackers tend to avoid infecting Russian people in their malware but in this case they don’t give a fuck even a compromised Russian website drops this… Gets better by the minute I say.


Here is where I used Process Hacker to obtain some useful iocs from the memory of the ransomware process.


Here we can see what filenames looks like after they are encrypted using the no_more_ransom file extension this is funny because it’s probably meaning to poke fun at https://www.nomoreransom.org/ however again with this crappy ransomware their slight against the no more ransom project is nothing but hilarious.


Here we see what the onion site looks like.


And here is the ransom note in it’s entirety.

Static Analysis:

If you are new to assembly and unpacking this is a well fuck moment but we can power through it remember this ransomware is shit.


We can see here were it creates an empty file in it’s execution folder called DAjMtIJuAX. We are going to set a hardware breakpoint to see where this gets unpacked to.


We then run until it breaks now we step until the return, this is a technique which gets past most packers.


We are now in a new section of memory, a new entry point but we are not done unpacking this shit sandwich yet.


We step then follow the stack pointer in the dump.


We set another hardware breakpoint.


Step until the return again.


Now we are in a new entry point once again and we see the PUSHAD instruction which typically is always UPX packing but we are going to take the easy way out and I don’t feel bad about it because this ransomware is shit.


Open up the memory map and sort by RWE because that is what PE files in memory have to be executed as now find blocks of memory like this that don’t have an associated owner.


So here we try dumping the first PE file.


I’m going to save you time that one was not a complete image or a decoy so move to the next one.


Here we can open this up in PE Explorer which has a UPX plugin which will take care of the rest of the unpacking… sigh UPX…


Now we simply save as to rebuild the original PE Sections.


Open up this in your debugger now and we are not warned about it being packed and we get nice function calls also notice the crypt function we know we did it right when we see this.


Here we see where a string is sent to the attacker with the private key this could be interesting it does appear they are using the standard system call from advapi32.dll to generate their random keys with CryptGenRandom.


Here we can confirm the use of Tor SSL.


Here we see the original malware sample and it’s entropy notice how it’s high at the start.


Next we have the UPX portion we dumped and it’s entropy which is still quite high.


Here we observe the entropy when the malware is completely unpacked.

Here is a sample of the Tor RSA Public Keys it uses:

-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBALSvLHwnyH0li31qf/txdlDeh5+aC2GclsEaTXZMPjX3Demf2nSznEFZ
Bf+I3n5/3ulqPqERmenTf7kTw00C9an3TsTsE4/hSUahnRK8TOuA8Nw7GBfzE2so
RtJJ5RVjGLI2IvWPRE2A7Oc/VU4JJ8VQYC7Wt4kdng2YN5sE+DEBAgMBAAE=
-----END RSA PUBLIC KEY-----

-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBANnvMUuFoisbdWvQSAC+/TfEC5UlU52mWIPRWbRPtWrmsDlmTvSXWmKZ
SKeT9RpY8IzhWiBQ302l6cyof6GI9Lg2JXGlStdVWvEUfrNIzW7O4OeIYvnjCrL6
qQYUXiiTqLQzfjWgLqwC3xyvXe6sZMycR2e7aIZoEL3zrP7KV5jVAgMBAAE=
-----END RSA PUBLIC KEY-----

-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBANnx4iv4Kr6d0I2F93M++CezwCYa2f7odjft4vj6ylTR9sxYp4W3obNP
7l19oPXUef6ofXzomd96WbnyEiaQufKol9RHPCUV1pJH/24objMhfyiysQY3Hzeu
iO/Xm7sJymXGIO2y31ZUcfmcAozw55dpyyi8Pvv+Y+/z6ynmVJpXAgMBAAE=
-----END RSA PUBLIC KEY-----

-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAL7lHqQP68O0Jrt5VNLxsH29Ta+Syv5pmoPcalztJ4pFtPUTJqiYqjeW
zbfSmBpxbPvG/beoyH/TSHpnsrV/Uno+VE4WyEFf7XSd0sd38RqFoa/2GoRsZdzn
A9+EiYZcqmrbMtejh/zKGAtVO+VQigRfYZG5b+tAxsTEuh+fDipLAgMBAAE=
-----END RSA PUBLIC KEY-----

-----BEGIN RSA PUBLIC KEY-----
MIGJAoGBAMsVS1U65md90LYIqGYuR8ej0vT5jdTTfOW2VaLIoXd2/8RlxAjoeIQu
1joQIZfLLImaVkX6MWYhQc1CUDYbUossTkKs4ne4wgUhw6PA2mYueni5ClAyK7xB
dWqCfbsFLyzfwi+DVA/P15MhYaiydEuWEp5jLYnT9GZxEQjoBP+RAgMBAAE=
-----END RSA PUBLIC KEY-----

Getting your Files Back:
All Windows Versions: https://www.lifewire.com/how-to-use-system-restore-in-windows-2626131
Windows 7 and up: http://www.wintips.org/restore-deleted-files-using-shadow-copy/

Indicators of Compromise (IOCS):

Russian Shade Ransomware Variant

Original Sample - 8E45887C903DC0BF3178403C58547EB3.exe
- md5   : 8e45887c903dc0bf3178403c58547eb3
- sha1  : 35ec35dc195d80c2eb1601afa507b9b22dbeffd2  
- sha256: f75ff8e486a6a3a1f74ca7f4b91a47134d41ea1227a98785383761c6354bbed8
Sample Unpack Stage 1 - unpack_upx.exe
- md5   :c6e6f4187c94d866fd9324ab73568b53
- sha1  :224e3c3137f61ecbeb0395408b1ddc8ba50b1e0a
- sha256:48363d7a2bee1fc046dfc3d18db4a4a31b15201398e941a6acdb58f1dede4546
Sample Unpack Stage 2 - unpacked_final.exe
- md5   : a5c8bde0a3d6b564ef76dd61bbc49a72
- sha1  : 10c53431a5a2cd8b0db3a5d35bda4913889b02d7
- sha256: f79a6c788d6836c0687725f7be1784d61b384fe37da6e59c0bf559bca2c74aaa

Hard Coded Tor Nodes:
004948ED   MOV EAX,unpacked.00596710                 ASCII "moria1 orport=9101 v3ident=D586D18309DED4CD6D57C18FDB97EFA96D330566 128.31.0.39:91
004948F6   MOV DWORD PTR SS:[EBP-28],unpacked.00596  ASCII "tor26 orport=443 v3ident=14C131DFC5C6F93646BE72FA1401C02A8DF2E8B4 86.59.21.38:80 8
004948FD   MOV DWORD PTR SS:[EBP-24],unpacked.00596  ASCII "dizum orport=443 v3ident=E8A9C45EDE6D711294FADF8E7951F4DE6CA56B58 194.109.206.212:
00494904   MOV DWORD PTR SS:[EBP-20],unpacked.00596  ASCII "Tonga orport=443 bridge 82.94.251.203:80 4A0C CD2D DC79 9508 3D73 F5D6 6710 0C8A 5
0049490B   MOV DWORD PTR SS:[EBP-1C],unpacked.00596  ASCII "turtles orport=9090 v3ident=27B6B5996C426270A5C95488AA5BCEB6BCC86956 76.73.17.194:
00494912   MOV DWORD PTR SS:[EBP-18],unpacked.00596  ASCII "gabelmoo orport=443 v3ident=ED03BB616EB2F60BEC80151114BB25CEF515B226 131.188.40.18
00494920   MOV DWORD PTR SS:[EBP-10],unpacked.00596  ASCII "urras orport=80 v3ident=80550987E1D626E3EBA5E5E75A458DE0626D088C 208.83.223.34:443
00494927   MOV DWORD PTR SS:[EBP-C],unpacked.00596B  ASCII "maatuska orport=80 v3ident=49015F787433103580E3B66A1707A00E60F2D15B 171.25.193.9:4
0049492E   MOV DWORD PTR SS:[EBP-8],unpacked.00596B  ASCII "Faravahar orport=443 v3ident=EFCBE720AB3A82B99F9E953CD5BF50F7EEFC7B97 154.35.32.5:

Dynamic Network Analysis:
dannenberg[dot]torauth[dot]de:https
turtles[dot]fscked[dot]org:9090
tor[dot]dizum[dot]com:https
torrelay[dot]kush[dot]tyknet.dk:https
168[dot]ip-137-74-116[dot]eu:https
julian[dot]meshwith[dot]me:9001
vps36606[dot]mardux[dot]com:http
julian[dot]meshwith[dot]me:9001
snowden[dot]pep-security[dot]net:9001

Ransom Note Indicators:
lukyan.sazonov26@gmail.com
cryptsen7fo43rr6[dot]onion[dot]to
cryptsen7fo43rr6[dot]onion[dot]cab
cryptsen7fo43rr6[dot]onion

Ransom File Extension: NO_MORE_RANSOM

Creates empty file in same location as executed payload: DAjMtIJuAX

Upon some research you can get your files back as shadow copies are not deleted.
If you use Windows XP you will have to use a program to go over unallocated space to try and recover files.

Calls out to What's my IP Address:
T 10.0.2.15:1179 -> 104.111.251.178:80 [AP]
GET / HTTP/1.1.
Host: whatismyipaddress.com.
Accept: */*.
User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0.

Process Hacker Domains:
www[dot]3uzxkjela6lkbqn7[dot]com
www[dot]bumwgibuoatsp36ccec[dot]net
www[dot]crarthgn[dot]net
www[dot]deihjst7sqyc3q2u[dot]net
www[dot]dxewtoupbbwcuf4jpsndhhk[dot]com
www[dot]f4whtd26fvklvonakil7[dot]com
www[dot]gc7ade4to[dot]com
www[dot]gpwyfz34sd4thsow[dot]com
www[dot]i3hvqtg6c[dot]com
www[dot]ighg7ojd65hls[dot]com
www[dot]ird45nhj5wzfr3hgytqeky7a[dot]com
www[dot]mopnlqm[dot]com
www[dot]ryffsmtllyzu[dot]net
www[dot]vkxw4ty2huqa[dot]net
www[dot]vptjgo3fvs3yqqykn7ufne5[dot]com
www[dot]vsbazdkuwrin7hd77ct[dot]com
www[dot]wftel2sw62giln4au[dot]net
www[dot]ws23jeemppfwh665wvr5[dot]com

ET Open Alerts:
5/26/2017-04:28:31.605139  [**] [1:2018789:3] ET POLICY TLS possible TOR SSL traffic [**] [Classification: Misc activity] [Priority: 3] {TCP} 37.187.107.91:9001 -> 10.0.2.15:1047

Process Hacker IP Search:
# This is probably used to encrypt network shares so be careful with this turd
0x5a4354 (13): 172.16.0.0/12
0x5a4364 (10): 10.0.0.0/8
0x5a4370 (14): 192.168.0.0/16
0x5a438c (14): 169.254.0.0/16

0x5adaa0 (12): 18.244.0.188
0x5d388c (19): 146.185.189.197:443
0x5d50e4 (17): 144.76.14.145:143
0x5d512c (13): 144.76.14.145
0xa573e0 (60): 192.36.27.179:11967 3ce83c6a3de298c45a2a940b7f2cddb017baea55
0xa575a0 (61): 194.132.209.82:31017 16f53958923cdc11051045d9c339bb599497cb2c
0xa575e8 (56): 54.164.6.73:443 b5cc920c146a4b07a9769dfcda7a546e1d5f5a87
0xa57850 (61): 194.132.208.167:3114 197e09caa5d3f7664be5c812ea6f1425dfd467e8
0xa593b8 (61): 194.132.208.167:3114 197e09caa5d3f7664be5c812ea6f1425dfd467e8
0xa59400 (56): 54.164.6.73:443 b5cc920c146a4b07a9769dfcda7a546e1d5f5a87
0xa59460 (61): 194.132.209.82:31017 16f53958923cdc11051045d9c339bb599497cb2c
0xa594d0 (60): 192.36.27.179:11967 3ce83c6a3de298c45a2a940b7f2cddb017baea55
0xa5b810 (60): 192.36.27.179:11967 3ce83c6a3de298c45a2a940b7f2cddb017baea55
0xa5b870 (61): 194.132.209.82:31017 16f53958923cdc11051045d9c339bb599497cb2c
0xa5b8d0 (56): 54.164.6.73:443 b5cc920c146a4b07a9769dfcda7a546e1d5f5a87
0xa5b930 (61): 194.132.208.167:3114 197e09caa5d3f7664be5c812ea6f1425dfd467e8
0xa5bbf3 (14): 154.35.175.225
0xa5bc02 (14): 154.35.175.225
0xa5c45f (11): 86.59.21.38
0xa5c46b (11): 86.59.21.38
0xa5ca5a (14): 131.188.40.189
0xa5cb50 (14): 193.23.244.244
0xa5cbe0 (14): 131.188.40.189
0xa5cc28 (13): 208.83.223.34
0xa5cc70 (12): 76.73.17.194
0xa5ccb8 (13): 82.94.251.203
0xa5cf88 (11): 86.59.21.38
0xa5cfa0 (15): 194.109.206.212
0xa5cfb8 (11): 128.31.0.39
0xa5d3d8 (11): 154.35.32.5
0xa5d640 (12): 171.25.193.9
0xf7bce0 (244): 192.36.27.179:11967 3ce83c6a3de298c45a2a940b7f2cddb017baea55
Host: 146.185.189.197:443
Host: 144.76.14.145:143
Host: 18.181.5.37:9052
0x10d19b0 (14): 193.23.244.244
0x10d3968 (12): 171.25.193.9
0x10d3e10 (13): 144.76.14.145
0x10d3e40 (13): 94.242.59.187
0x10f0308 (13): 144.76.14.145
0x10f03b0 (11): 18.181.5.37
0x119689e (14): 193.23.244.244
0x119699f (11): 86.59.21.38
0x11969ab (11): 86.59.21.38
0x1196aae (14): 199.254.238.53
0x1196abd (14): 199.254.238.53
0x1196c06 (12): 171.25.193.9
0x1196c13 (12): 171.25.193.9
0x1196d40 (11): 128.31.0.34
0x1196d4c (11): 128.31.0.34
0x1196e5b (15): 194.109.206.212
0x1196e6b (15): 194.109.206.212
0x1196f9a (14): 131.188.40.189
0x1196fa9 (14): 131.188.40.189
0x1faf4e8 (14): 131.188.40.189
0x1fb02e0 (14): 154.35.175.225
0x1fb99a8 (11): 86.59.21.38
0x1fb9a60 (11): 128.31.0.34
0x1fb9a78 (15): 194.109.206.212
0x1fb9b68 (14): 199.254.238.53
0x1fb9cb0 (12): 171.25.193.9
0x23bc290 (11): 52.59.55.22

# Yup the malware finds out your IP and sends it to the attackers this isn't mine btw lol!
X-Your-Address-Is: 184.170.137.55
X-Your-Address-Is: 184.170.137.55
X-Your-Address-Is: 184.170.137.55

0x255d788 (15): 146.185.189.197
0x255d860 (15): 146.185.189.197

You can download the pcap, unpack stage 1, unpack stage 2, original sample and more here: https://www.dropbox.com/s/5e2hc8crkl8p0ni/8E45887C903DC0BF3178403C58547EB3.zip?dl=0

Note: The password for the zip file with the analysis is “infected” without quotes.

VirusTotal: https://virustotal.com/en/file/f75ff8e486a6a3a1f74ca7f4b91a47134d41ea1227a98785383761c6354bbed8/analysis/

If you like this analysis and want to help me out with some bitcoin send me an email using the contact page.

Advertisements
Posted in Ransomware | Tagged , , , , , , | Leave a comment

WannaCry WanaDecrypt0r Analysis

#Analysis#

Please note this analysis is only really on WanaDecrypt0r and not the dropper known as ​ diskpart.exe.

When WannaCry is executed on the target machine a hidden folder is created in the current users directory containing the following files:hiddenfolder

[c.wnry] – Tor Configuration and Bitcoin Wallet Address for Payment

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
00000010  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000060  00 00 00 00 00 00 00 00 00 00 00 00 E7 A5 1A 59  ............��.Y
00000070  03 00 00 00 07 00 00 00 00 00 96 43 00 00 00 00  ..........�C....
00000080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000000B0  00 00 31 32 74 39 59 44 50 67 77 75 65 5A 39 4E  ..12t9YDPgwueZ9N
000000C0  79 4D 67 77 35 31 39 70 37 41 41 38 69 73 6A 72  yMgw519p7AA8isjr
000000D0  36 53 4D 77 00 00 00 00 00 00 00 00 00 00 00 00  6SMw............
000000E0  00 00 00 00 67 78 37 65 6B 62 65 6E 76 32 72 69  ....gx7ekbenv2ri
000000F0  75 63 6D 66 2E 6F 6E 69 6F 6E 3B 35 37 67 37 73  ucmf.onion;57g7s
00000100  70 67 72 7A 6C 6F 6A 69 6E 61 73 2E 6F 6E 69 6F  pgrzlojinas.onio
00000110  6E 3B 78 78 6C 76 62 72 6C 6F 78 76 72 69 79 32  n;xxlvbrloxvriy2
00000120  63 35 2E 6F 6E 69 6F 6E 3B 37 36 6A 64 64 32 69  c5.onion;76jdd2i
00000130  72 32 65 6D 62 79 76 34 37 2E 6F 6E 69 6F 6E 3B  r2embyv47.onion;
00000140  63 77 77 6E 68 77 68 6C 7A 35 32 6D 61 71 6D 37  cwwnhwhlz52maqm7
00000150  2E 6F 6E 69 6F 6E 3B 00 00 00 00 00 00 00 00 00  .onion;.........
00000160  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000170  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000180  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000190  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000001D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 68 74  ..............ht
000001E0  74 70 73 3A 2F 2F 64 69 73 74 2E 74 6F 72 70 72  tps://dist.torpr
000001F0  6F 6A 65 63 74 2E 6F 72 67 2F 74 6F 72 62 72 6F  oject.org/torbro
00000200  77 73 65 72 2F 36 2E 35 2E 31 2F 74 6F 72 2D 77  wser/6.5.1/tor-w
00000210  69 6E 33 32 2D 30 2E 32 2E 39 2E 31 30 2E 7A 69  in32-0.2.9.10.zi
00000220  70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  p...............
00000230  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000240  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000250  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000260  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000270  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000280  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000290  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002A0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002B0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002C0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002D0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002E0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
000002F0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000300  00 00 00 00 00 00 00 00 00 00 00 00              ............

This file contains the onion domains as well as the bitcoin wallet address which the attackers are seeking payment for, here we can also see it when it’s loaded into memory by the Decrypt0r after a system call to fread.

[00000000.pky] – is the public RSA encryption key

Found this RSA File:
Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000  02 00 00 00 00 00 00 00 09 00 00 00 5C 00 00 00  ............\...
00000010  34 02 00 00 00 00 00 00 00 00 00 00 14 00 00 00  4...............
00000020  A8 00 00 00 00 00 00 00 53 63 68 65 64 75 6C 65  �.......Schedule
00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00000040  00 00 00 00 00 52 53 41 31 48 00 00 00 00 02 00  .....RSA1H......
00000050  00 3F 00 00 00 01 00 01 00 0D 36 00 7A FB C8 7E  .?........6.z��~
00000060  88 08 55 2F 0D BC 23 24 5E C1 D9 01 D0 07 6A 63  �.U/.�#$^��.�.jc
00000070  AB 91 11 9C AC 6D 7E 62 01 FF 23 4E 28 A8 F0 8D  ��.��m~b.�#N(��.
00000080  DC 72 B6 6A 41 A5 E7 BE 51 B6 A9 11 DA 46 EC 7F  �r�jA���Q��.�F�.
00000090  F0 EA 5D A3 28 E6 50 5B AC 00 00 00 00 00 00 00  ��]�(�P[�.......
000000A0  00 01 00 00 00 D0 8C 9D DF 01 15 D1 11 8C 7A 00  .....Ќ.�..�.�z.
000000B0  C0 4F C2 97 EB 01 00 00 00 31 16 E2 B7 9B C6 8B  �O�....1.ⷛƋ
000000C0  44 B5 B4 95 C2 FC 42 80 4E 00 00 00 00 2C 00 00  D�����B�N....,..
000000D0  00 43 00 72 00 79 00 70 00 74 00 6F 00 41 00 50  .C.r.y.p.t.o.A.P
000000E0  00 49 00 20 00 50 00 72 00 69 00 76 00 61 00 74  .I. .P.r.i.v.a.t
000000F0  00 65 00 20 00 4B 00 65 00 79 00 00 00 03 66 00  .e. .K.e.y....f.
00000100  00 A8 00 00 00 10 00 00 00 B2 C1 77 A1 2E B8 92  .�.......��w�.��
00000110  E5 10 5F 9E B4 79 44 F9 9A 00 00 00 00 04 80 00  �._��yD��.....�.
00000120  00 A0 00 00 00 10 00 00 00 BE 89 82 23 FF E4 98  .�.......���#���
00000130  8D DC 6E E3 81 DB 85 48 8D 80 01 00 00 AF 21 EE  .�n�.ۅH.�...�!�
00000140  F8 BF 45 C3 A9 8A 83 CF C9 97 45 33 45 80 FC 5C  ��Eé���ɗE3E��\
00000150  3A E5 11 EE 8D 18 09 05 9A 81 EE 18 D2 F5 2A E2  :�.�....�.�.��*�
00000160  DE 6D BC E4 1C 09 00 F0 FC CB C7 00 9C D0 D7 D0  �m��...����.����
00000170  59 0B 3B 48 56 11 0C A9 9A EF F8 1C C9 2E B9 8C  Y.;HV..����.�.��
00000180  CE 78 76 7F 47 C0 85 34 D1 6C 59 8E E7 BF C1 15  �xv.G��4�lY����.
00000190  C0 36 FD 49 C0 6C 7E 13 6E 48 3E F9 22 00 B7 1A  �6�I�l~.nH>�".�.
000001A0  C9 6F F3 16 42 99 F7 B9 CD 44 25 82 9F D8 08 B8  �o�.B����D%���.�
000001B0  24 E5 30 3C 99 A8 5C 64 7C 7D 26 5D C7 DA 46 B0  $�0<��\d|}&]��F�
000001C0  89 E5 32 57 F4 B1 41 54 41 38 45 A8 50 94 1D 5A  ��2W��ATA8E�P�.Z
000001D0  36 0B 50 1B 9F 3A 9A 3D 9B 96 07 87 2F CC BA 06  6.P.�:�=��.�/̺.
000001E0  52 07 C6 18 6B AD 7E 10 FE 4B 4C 55 2E 45 2B 23  R.�.k�~.�KLU.E+#
000001F0  3B C7 18 18 92 E1 17 68 68 E6 A8 BB 97 A0 8C 80  ;�..��.hh樻����
00000200  D5 98 7D DC 63 DF 2A 6C 31 96 BF A7 E8 58 34 97  ՘}�c�*l1����X4�
00000210  6B 4E 08 A8 92 59 64 2B C2 8C 58 94 E0 8B 81 EA  kN.��Yd+ŒX���.�
00000220  7C 66 B8 9D 30 E7 54 7C B6 1F 83 3D 7E 3B 99 9E  |f�.0�T|�.�=~;��
00000230  E3 92 FC CC B2 BD 2A 63 65 1D B4 6C 11 F4 F7 CE  ���̲�*ce.�l.���
00000240  87 B1 93 ED EB B2 46 D4 7C 0F 00 07 EE 5D 7F 50  ������F�|...�].P
00000250  A8 C0 39 5B 11 4E F1 D3 5A E1 27 F8 C7 13 B8 2B  ��9[.N��Z�'��.�+
00000260  13 F0 9C 6E 0A 85 56 42 7B CD 92 85 98 47 63 7A  .��n.�VB{͒��Gcz
00000270  71 5F 9A F2 4B 8A 74 79 7F E7 AA 68 3B C2 9D FC  q_��K�ty.��h;�.�
00000280  59 6F D7 4E 0D 05 E4 B5 11 01 6A 55 63 27 30 A7  Yo�N..��..jUc'0�
00000290  82 39 17 E3 13 12 6B C3 3F A0 28 3B 6D 21 00 49  �9.�..k�?�(;m!.I
000002A0  AB 74 F8 EC D0 98 06 37 84 60 EF BB C6 11 5B CF  �t��И.7�`���.[�
000002B0  46 38 98 B5 54 62 28 1E 88 E3 50 12 EB 14 00 00  F8��Tb(.��P.�...
000002C0  00 8F EB C9 DD EA 44 18 D4 9B 2B 15 38 7C 93 A3  ..����D.ԛ+.8|��
000002D0  D7 5D 12 56 D7 01 00 00 00 D0 8C 9D DF 01 15 D1  �].V�....Ќ.�..�
000002E0  11 8C 7A 00 C0 4F C2 97 EB 01 00 00 00 31 16 E2  .�z.�O�....1.�
000002F0  B7 9B C6 8B 44 B5 B4 95 C2 FC 42 80 4E 00 00 00  ��ƋD�����B�N...
00000300  00 18 00 00 00 45 00 78 00 70 00 6F 00 72 00 74  .....E.x.p.o.r.t
00000310  00 20 00 46 00 6C 00 61 00 67 00 00 00 03 66 00  . .F.l.a.g....f.
00000320  00 A8 00 00 00 10 00 00 00 49 E8 51 A3 D1 9B 32  .�.......I�Q�ћ2
00000330  7D FE 24 23 52 AA A0 C5 4C 00 00 00 00 04 80 00  }�$#R���L.....�.
00000340  00 A0 00 00 00 10 00 00 00 A5 B3 E8 43 6D 7D FC  .�.......���Cm}�
00000350  C6 C7 4C DB BC 70 2B C3 06 08 00 00 00 8B EC 1B  ��Lۼp+�.....��.
00000360  CE 7E C5 53 95 14 00 00 00 C7 21 8C 16 32 05 61  �~�S�....�!�.2.a
00000370  4E 8B 6E 93 51 47 BA 93 73 06 37 8A A9           N�n�QG��s.7��

I converted this to a .snk file using the Strong Name Tool (sn.exe) and extracted the public key and public key token:

Microsoft (R) .NET Framework Strong Name Utility  Version 1.1.4322.573
Copyright (C) Microsoft Corporation 1998-2002. All rights reserved.

Public key is
00a4000004800000140100000602000000a4000052534131000800000100010091ad3c1a729318
05fc13de085afe4061ef7d9054f1a11c0e7f381dfef56d52aea47c4c64024e038c5c4def23f23f
c336e09a0a4e2a0ac8d37d8242df95e7c3af43e33aa5f7b8b372186504e20dfc66b5cf47e471f2
b9c9b100dcab035a274fc46ac943fb5c8fdb1ca92ac75c16b003a463448160d799fb17e0e97c03
ea2228191b2577aed30bb1ae7f13dae78ae664947f9625472d0911f8fd4434bb839851fd3fd1a8
abb9fa7a44ce756a5beb7d89310e5bb8586cf3873a0b43406654ff09c4d34c863b6c76e4060b35
e5471b7e7d88cf0ac678816ab3f5d21d9a3a2bd5278ca4ed89d5ff63862271613ea3b41ddb33a4
32cdcc455fc640193ee8d5677c80bd

Public key token is da513e638861e03d

[s.wnry] – Zip file Containing Tor Executable and Related DLLS
– Drops Data Folder
– Drops Tor folder with DLLS and tor.exe

Upon Clicking "Decrypt" reads file 0000000.res purpose unknown at this time perhaps this is the payment confirmation or for the private key.

[f.wnry] – File Decryption List

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000 43 3A 5C 50 79 74 68 6F 6E 32 37 5C 4C 69 62 5C C:\Python27\Lib\
00000010 65 6D 61 69 6C 5C 74 65 73 74 5C 64 61 74 61 5C email\test\data\
00000020 6D 73 67 5F 31 33 2E 74 78 74 2E 57 4E 43 52 59 msg_13.txt.WNCRY
00000030 0D 0A 43 3A 5C 44 6F 63 75 6D 65 6E 74 73 20 61 ..C:\Documents a
00000040 6E 64 20 53 65 74 74 69 6E 67 73 5C 41 6C 6C 20 nd Settings\All
00000050 55 73 65 72 73 5C 41 70 70 6C 69 63 61 74 69 6F Users\Applicatio
00000060 6E 20 44 61 74 61 5C 4D 69 63 72 6F 73 6F 66 74 n Data\Microsoft
00000070 5C 55 73 65 72 20 41 63 63 6F 75 6E 74 20 50 69 \User Account Pi
00000080 63 74 75 72 65 73 5C 63 65 72 62 65 72 75 73 2E ctures\cerberus.
00000090 62 6D 70 2E 57 4E 43 52 59 0D 0A 43 3A 5C 44 6F bmp.WNCRY..C:\Do
000000A0 63 75 6D 65 6E 74 73 20 61 6E 64 20 53 65 74 74 cuments and Sett
000000B0 69 6E 67 73 5C 63 65 72 62 65 72 75 73 5C 4C 6F ings\cerberus\Lo
000000C0 63 61 6C 20 53 65 74 74 69 6E 67 73 5C 41 70 70 cal Settings\App
000000D0 6C 69 63 61 74 69 6F 6E 20 44 61 74 61 5C 4D 6F lication Data\Mo
000000E0 7A 69 6C 6C 61 5C 46 69 72 65 66 6F 78 5C 50 72 zilla\Firefox\Pr
000000F0 6F 66 69 6C 65 73 5C 32 72 78 79 78 70 30 68 2E ofiles\2rxyxp0h.
00000100 64 65 66 61 75 6C 74 5C 74 68 75 6D 62 6E 61 69 default\thumbnai
00000110 6C 73 5C 35 35 36 62 39 34 65 65 63 61 64 33 39 ls\556b94eecad39
00000120 30 30 38 36 35 63 30 31 31 62 34 61 36 38 30 61 00865c011b4a680a
00000130 35 38 36 2E 70 6E 67 2E 57 4E 43 52 59 0D 0A 43 586.png.WNCRY..C
00000140 3A 5C 50 79 74 68 6F 6E 32 37 5C 69 6E 63 6C 75 :\Python27\inclu
00000150 64 65 5C 66 75 6E 63 6F 62 6A 65 63 74 2E 68 2E de\funcobject.h.
00000160 57 4E 43 52 59 0D 0A 43 3A 5C 50 79 74 68 6F 6E WNCRY..C:\Python
00000170 32 37 5C 74 63 6C 5C 74 63 6C 38 2E 35 5C 6D 73 27\tcl\tcl8.5\ms
00000180 67 73 5C 65 73 5F 63 6F 2E 6D 73 67 2E 57 4E 43 gs\es_co.msg.WNC
00000190 52 59 0D 0A

Wana Decrypt0r let's you test it's decryption functionality this is related to the files it shows you this with.

I was able to bypass the payment option but keep in mind this will bring you false hope it will say your files have been decrypted however they were not as the cryptdecrypt api call fails without the correct private key 00000000.dky:



Next the CryptoGraphic key is Imported by CryptImportKey and created this PUBLICKEYSTRUCT BLOB In Memory:

CryptImportKeySuccessfulNonZero

[CryptImportKey] – PUBLICKEYSTRUCT

Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F

00000000 46 FB 00 68 17 F0 00 68 B1 AF 00 68 86 D0 00 68 F�.h.�.h��.h��.h
00000010 60 94 00 68 38 96 00 68 22 9A 00 68 24 BA 00 68 `�.h8�.h"�.h$�.h
00000020 8A BF 00 68 8E 6C 00 68 00 71 00 68 BA 74 00 68 ��.h�l.h.q.h�t.h
00000030 56 7E 00 68 A0 7F 00 68 D1 82 00 68 22 DA 00 68 V~.h�..hт.h"�.h
00000040 0A DF 00 68 A7 D7 00 68 62 95 00 68 6D 9E 00 68 .�.h��.hb�.hm�.h
00000050 9C 9F 00 68 6F A5 00 68 91 C8 00 68 00 00 00 00 ��.ho�.h��.h....
00000060 AE AA 00 68 2E 85 00 68 00 00 00 00 00 00 00 68 ��.h.�.h.......h
00000070 F4 CF 4C E3 11 11 11 11 01 00 00 00 01 00 00 00 ��L�............
00000080 AB AB AB AB AB AB AB AB 00 00 00 00 00 00 00 00 ��������........
00000090 07 00 13 00 F9 07 18 00 00 00 00 00 00 81 16 00 ....�...........
000000A0 68 E1 97 7C B8 7E 16 00 00 00 00 00 00 00 00 00 h��|�~..........
000000B0 0D F0 AD BA 0D F0 AD BA AB AB AB AB AB AB AB AB .���. �������
000000C0 00 00 00 00 00 00 00 00 0C 00 07 00 C2 07 1E 00 ............�...
000000D0 4D 69 63 72 6F 73 6F 66 74 20 45 6E 68 61 6E 63 Microsoft Enhanc
000000E0 65 64 20 52 53 41 20 61 6E 64 20 41 45 53 20 43 ed RSA and AES C
000000F0 72 79 70 74 6F 67 72 61 70 68 69 63 20 50 72 6F ryptographic Pro
00000100 76 69 64 65 72 20 28 50 72 6F 74 6F 74 79 70 65 vider (Prototype
00000110 29 00 AB AB AB AB AB AB AB AB EE FE EE FE EE FE ).��������������
00000120 00 00 00 00 00 00 00 00 06 00 0C 00 CE 07 1C 00 ............�...
00000130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000140 00 00 00 00 AB AB AB AB AB AB AB AB EE FE EE FE ....������������
00000150 00 00 00 00 00 00 00 00 0D 00 06 00 EE 14 EE 00 ............�.�.
00000160 E0 01 15 00 E0 01 15 00 EE FE EE FE EE FE EE FE �...�...��������
00000170 EE FE EE FE EE FE EE FE EE FE EE FE EE FE EE FE ����������������
00000180 EE FE EE FE EE FE EE FE EE FE EE FE EE FE EE FE ����������������
00000190 EE FE EE FE EE FE EE FE EE FE EE FE EE FE EE FE ����������������
000001A0 EE FE EE FE EE FE EE FE EE FE EE FE EE FE EE FE ����������������
000001B0 EE FE EE FE EE FE EE FE EE FE EE FE EE FE EE FE ����������������

The CryptImportKey Fucntion Is Successful and return a non-zero value of 1 which means this key is valid if it was not it would have returned as NTE_BAD_DATA.

Reference to MSDN: https://msdn.microsoft.com/en-us/library/windows/desktop/aa380207(v=vs.85).aspx

However this is only dealing with the public key 00000000.pky so you can’t decrypt with this.

So this really is false hope however there is a way to unencrypt files on Windows XP if you don’t perform any reboot of the system by obtaining the private_key_blob from memory however I did find a private key on disk when doing my research however have not been able to prove it’s part of this malware will update the post if anything develops from it.

Also if you wish to take this a step further you can do cp 00000000.pky 00000000.dky this will allow you to bypass checks for 00000000.dky so you can examine the CryptDecrypt functionality more however again without the right key this will fail.

IOCS

Domains:
gx7ekbenv2riucmf[dot]onion
57g7spgrzlojinas[dot]onion
xxlvbrloxvriy2c5[dot]onion
76jdd2ir2embyv47[dot]onion
cwwnhwhlz52maqm7[dot]onion

Bitcoin Wallet Address
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Hashes
MD5:                               Filename:                      Description:
ad4c9de7c8c40813f200ba1c2fa33083 - s.wnry                       - Zip File Containing tor.exe
f2675f5d30b40ec0172657def54fe56c - 00000000.pky                 - Public Encryption Key
2b8664632284bd24af379ba24684df31 - 00000000.pky.snk             - Public Encryption Key in Strong Name Format
dcf96a8e01ddab22d93b9ff816489338 - c.wnry                       - Tor Domain Configuration with Bitcoin Wallet Address
3e0020fc529b1c2a061016dd2469ba96 - r.wnry                       - WannaCry FAQ Text
5dcaac857e695a65f5c3ef1441a73a8f - t.wnry                       - Unknown Encrypted File with WANACRY! Flag at 0x0
c17170262312f3be7027bc2ca825bf0c - b.wnry                       - Bitmap Image for Wallpaper after Infection
4532a8afcc5d78b07b4fec0008ebf41a - 00000000.eky                 - Encryption Key but it's encrypted
84c82835a5d21bbcf75a61706d8ab549 - wannacry.exe                 - Copy of Ransomware
8495400f199ac77853c53b5a3f278f3e - taskse.exe                   - Not sure of purpose yet
4fef5e34143e646dbf9907c4374276f5 - taskdl.exe                   - Not sure of purpose yet
95673b0f968c0f55b32204361940d184 - m_bulgarian.wnry             - Language Strings File
0252d45ca21c8e43c9742285c48e91ad - m_chinese (simplified).wnry  - Language Strings File
2efc3690d67cd073a9406a25005f7cea - m_chinese (traditional).wnry - Language Strings File
17194003fa70ce477326ce2f6deeb270 - m_croatian.wnry              - Language Strings File
537efeecdfa94cc421e58fd82a58ba9e - m_czech.wnry                 - Language Strings File
2c5a3b81d5c4715b7bea01033367fcb5 - m_danish.wnry                - Language Strings File
7a8d499407c6a647c03c4471a67eaad7 - m_dutch.wnry                 - Language Strings File
fe68c2dc0d2419b38f44d83f2fcf232e - m_english.wnry               - Language Strings File
08b9e69b57e4c9b966664f8e1c27ab09 - m_filipino.wnry              - Language Strings File
35c2f97eea8819b1caebd23fee732d8f - m_finnish.wnry               - Language Strings File
4e57113a6bf6b88fdd32782a4a381274 - m_french.wnry                - Language Strings File
3d59bbb5553fe03a89f817819540f469 - m_german.wnry                - Language Strings File
fb4e8718fea95bb7479727fde80cb424 - m_greek.wnry                 - Language Strings File
3788f91c694dfc48e12417ce93356b0f - m_indonesian.wnry            - Language Strings File
30a200f78498990095b36f574b6e8690 - m_italian.wnry               - Language Strings File
b77e1221f7ecd0b5d696cb66cda1609e - m_japanese.wnry              - Language Strings File
6735cb43fe44832b061eeb3f5956b099 - m_korean.wnry                - Language Strings File
c33afb4ecc04ee1bcc6975bea49abe40 - m_latvian.wnry               - Language Strings File
ff70cc7c00951084175d12128ce02399 - m_norwegian.wnry             - Language Strings File
e79d7f2833a9c2e2553c7fe04a1b63f4 - m_polish.wnry                - Language Strings File
fa948f7d8dfb21ceddd6794f2d56b44f - m_portuguese.wnry            - Language Strings File
313e0ececd24f4fa1504118a11bc7986 - m_romanian.wnry              - Language Strings File
452615db2336d60af7e2057481e4cab5 - m_russian.wnry               - Language Strings File
c911aba4ab1da6c28cf86338ab2ab6cc - m_slovak.wnry                - Language Strings File
8d61648d34cba8ae9d1e2a219019add1 - m_spanish.wnry               - Language Strings File
c7a19984eb9f37198652eaf2fd1ee25c - m_swedish.wnry               - Language Strings File
531ba6b1a5460fc9446946f91cc8c94b - m_turkish.wnry               - Language Strings File
8419be28a0dcec3f55823620922b00fa - m_vietnamese.wnry            - Language Strings File
7bf2b57f2a205768755c07f238fb32cc - u.wnry                       - Same as @WanaDecryptor@.exe
7bf2b57f2a205768755c07f238fb32cc - @WanaDecryptor@.exe          - Same as u.wnry
Posted in Ransomware | Tagged , , , , , | Leave a comment