Jekyll2023-11-13T18:03:27+00:00https://detectivestrings.github.io/feed.xmlDetectiveStringsDFIR MasterMohamed LabibDeepDive2021-10-28T00:00:00+00:002021-10-28T00:00:00+00:00https://detectivestrings.github.io/walkthrough/cyberdefenders/memory%20forensics/dfir/DeepDive<h1 id="about-challenge">About Challenge.</h1>
<p>Name : DeepDive.</p>
<p>Challenge Link : https://www.cyberdefenders.org/labs/78</p>
<p>Scenario : You are given a memory image of a compromised machine. Analyze the image and figure out the attack details.</p>
<p>Questions : 10</p>
<p>File Name : banking-malware.vmem</p>
<p>Tool : volatility</p>
<h1 id="solution">Solution</h1>
<p>In this writeup we are using volatility 2.</p>
<h2 id="1--what-profile-should-you-use-for-this-memory-sample">1- What profile should you use for this memory sample?</h2>
<p>To get the profile of the image we need to use <code class="language-plaintext highlighter-rouge">imageinfo</code> plugin.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> banking-malware.vmem imageinfo
</code></pre></div></div>
<p>Output:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile<span class="o">(</span>s<span class="o">)</span> : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
AS Layer1 : WindowsAMD64PagedMemory <span class="o">(</span>Kernel AS<span class="o">)</span>
AS Layer2 : FileAddressSpace <span class="o">(</span>/home/<span class="k">******************</span>/CyberDefenders/DeepDive/banking-malware.vmem<span class="o">)</span>
PAE <span class="nb">type</span> : No PAE
DTB : 0x187000L
KDBG : 0xf80002bef120L
Number of Processors : 1
Image Type <span class="o">(</span>Service Pack<span class="o">)</span> : 1
KPCR <span class="k">for </span>CPU 0 : 0xfffff80002bf1000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image <span class="nb">date </span>and <span class="nb">time</span> : 2021-02-09 00:51:25 UTC+0000
Image <span class="nb">local date </span>and <span class="nb">time</span> : 2021-02-08 22:51:25 <span class="nt">-0200</span>
</code></pre></div></div>
<h2 id="2--what-is-the-kdbg-virtual-address-of-the-memory-sample">2- What is the KDBG virtual address of the memory sample?</h2>
<p>The answer of this question is in the output of the first one.</p>
<h2 id="3--there-is-a-malicious-process-running-but-it-is-hidden-what-is-its-name">3- There is a malicious process running, but it is hidden. What is its name?</h2>
<p>Since the process is hidden, we cannot find it using the <code class="language-plaintext highlighter-rouge">pslist</code> plugin as it’s a common procedure to unlink the process from <code class="language-plaintext highlighter-rouge">ActiveProcessLink</code> doubly-linked list in order to hide it.</p>
<p>It’s better to use <code class="language-plaintext highlighter-rouge">psxview</code> because it searches for any running process using 7 different methods (unlike other plugins which use only one method).</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> banking-malware.vmem <span class="nt">--profile</span> Win7SP1x64_24000 psxview
</code></pre></div></div>
<p>Output:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Offset<span class="o">(</span>P<span class="o">)</span> Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
<span class="nt">------------------</span> <span class="nt">--------------------</span> <span class="nt">------</span> <span class="nt">------</span> <span class="nt">------</span> <span class="nt">--------</span> <span class="nt">------</span> <span class="nt">-----</span> <span class="nt">-------</span> <span class="nt">--------</span> <span class="nt">--------</span>
0x000000007e651b00 services.exe 500 True True True True True True False
0x000000007d9b4b00 svchost.exe 1772 True True True True True True True
0x000000007d2e5060 VSSVC.exe 2104 True True True True True True True
0x000000007da4bb00 lsm.exe 516 True True True True True True False
0x000000007d38cb00 vm3dservice.ex 2416 True True True True True True True
0x000000007d97f940 svchost.exe 356 True True True True True True True
0x000000007d827710 svchost.exe 636 True True True True True True True
0x000000007fe47b00 CompatTelRunne 996 True True True True True True True
0x000000007cf2fb00 WmiPrvSE.exe 3488 True True True True True True True
0x000000007da0a060 winlogon.exe 480 True True True True True True True
0x000000007d2735e0 dllhost.exe 2044 True True True True True True True
0x000000007fcf0b00 sppsvc.exe 3016 True True True True True True True
0x000000007d8ce920 WmiApSrv.exe 3692 True True True True True True True
0x000000007d68c6b0 OfficeClickToR 1232 True True True True True True True
0x000000007d353b00 dwm.exe 2236 True True True True True True True
0x000000007e770060 SDXHelper.exe 2828 True True True True True True True
0x000000007db38930 lsass.exe 508 True True True True True True False
0x000000007d2f3580 dllhost.exe 3188 True True True True True True True
0x000000007d5d7b00 WmiPrvSE.exe 1812 True True True True True True True
0x000000007e682b00 taskhost.exe 2344 True True True True True True True
0x000000007feb8b00 vmtoolsd.exe 1484 True True True True True True True
0x000000007d24d2f0 SDXHelper.exe 3200 True True True True True True True
0x000000007e5f45c0 svchost.exe 704 True True True True True True True
0x000000007d6bab00 VGAuthService. 1432 True True True True True True True
0x000000007d6dbb00 msdtc.exe 1968 True True True True True True True
0x000000007ddcf060 svchost.exe 916 True True True True True True True
0x000000007d336950 vds_ps.exe 2448 False False True True True True True
0x000000007d2508c0 conhost.exe 3028 True True True True True True True
0x000000007df7db00 SearchIndexer. 2616 True True True True True True True
0x000000007d678060 wmpnetwk.exe 856 True True True True True True True
0x000000007e8906d0 wininit.exe 412 True True True True True True True
0x000000007d33eb00 taskhost.exe 2192 True True True True True True True
0x000000007eae4060 CompatTelRunne 2984 True True True True True True True
0x000000007e1bfb00 svchost.exe 3324 True True True True True True False
0x000000007d69bb00 svchost.exe 1288 True True True True True True True
0x000000007d902060 svchost.exe 868 True True True True True True True
0x000000007d9ff610 svchost.exe 1132 True True True True True True True
0x000000007d3fc3e0 vmtoolsd.exe 2424 True True True True True True True
0x000000007d35db00 explorer.exe 2260 True True True True True True True
0x000000007d203930 dllhost.exe 1832 True True True True True True True
0x000000007d929370 audiodg.exe 1008 True True True True True True True
0x000000007db26b00 svchost.exe 3084 True True True True True True True
0x000000007e462b00 CompatTelRunne 2688 True True True True True True True
0x000000007d3535a0 taskeng.exe 2244 True True True True True True True
0x000000007d8a7b00 svchost.exe 756 True True True True True True True
0x000000007d24da30 SDXHelper.exe 3196 True True True True True True True
0x000000007d989b00 spoolsv.exe 1096 True True True True True True True
0x000000007ddc4060 svchost.exe 960 True True True True True True True
0x000000007fd4a6e0 ipconfig.exe 4008 True True False True False True False 2021-02-09 00:51:25 UTC+0000
0x000000007dde39a0 csrss.exe 360 True True True True False True True
0x000000007fc46b00 cmd.exe 3732 True True False True False True False 2021-02-09 00:51:25 UTC+0000
0x000000007ee7d6c0 smss.exe 272 True True True True False False False
0x000000007e9c6060 csrss.exe 424 True True True True False True True
0x000000007ffad860 System 4 True True True True False False False
0x000000007fc52060 conhost.exe 3848 True True False True False True False 2021-02-09 00:51:25 UTC+0000
</code></pre></div></div>
<p>The malware used 2 methods to hide, first by unlinking itself from the <code class="language-plaintext highlighter-rouge">ActiveProcessLink</code> list and then changing the process object signature.</p>
<h2 id="4--what-is-the-physical-offset-of-the-malicious-process">4- What is the physical offset of the malicious process?</h2>
<p><code class="language-plaintext highlighter-rouge">psxview</code> plugin shows the physical address of each process, so you can use the 3rd question’s output to answer this question.</p>
<h2 id="5--what-is-the-full-path-including-executable-name-of-the-hidden-executable">5- What is the full path (including executable name) of the hidden executable?</h2>
<p>The easiest method to solve this question is to list all system files and gerp the malware name since we already got its name from the 3rd question.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> banking-malware.vmem <span class="nt">--profile</span> Win7SP1x64_24000 filescan | <span class="nb">grep</span> <hidden_process_name>
</code></pre></div></div>
<h2 id="6--which-malware-is-this">6- Which malware is this?</h2>
<p>This is such a funny question :D of course you can use the challege poster to solve this question.</p>
<p><a href="/assets/images/CyberDefenders/DeepDive/m1.gif"><img src="/assets/images/CyberDefenders/DeepDive/m1.gif" alt="1" /></a></p>
<p>But we will not do that.</p>
<p>We need to find the IOCs of this malware.</p>
<p>By IOCs we mean an obvious artifact of the malawre we can use to identify its family, but we will not go deep in the exe so we will just take a look at its <code class="language-plaintext highlighter-rouge">strings</code>.</p>
<p>Let’s start by extracting the process using its physical address from 4th question using <code class="language-plaintext highlighter-rouge">procdump</code> plugin.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> banking-malware.vmem <span class="nt">--profile</span> Win7SP1x64_24000 procdump <span class="nt">--offset</span><span class="o">=</span><process_physical_address> <span class="nt">-D</span> <span class="nb">.</span>
</code></pre></div></div>
<p>then use <code class="language-plaintext highlighter-rouge">strings</code> utility to search for any interesting string that might be unique in this malware.</p>
<p>Output:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>snip
RegQueryValueExA
RegSetValueExA
ADVAPI32.dll
DragFinish
DragQueryFileA
SHELL32.dll
COMCTL32.dll
InterlockedExchange
UnregisterClassA
@P<span class="k">*</span>w<span class="nv">$@</span>?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ<span class="nv">$qpLa</span>@
l-rE
kernel32.dll
VirtualAllocExNuma
CreateDirectoryA
kernel32.dll
C:<span class="se">\W</span>indows<span class="se">\M</span>icrosoft.NET
LdrFin
dReso
urce_U
Acces
snip
</code></pre></div></div>
<p><code class="language-plaintext highlighter-rouge">@P*w$@?97wKE9+Vey0babhTz2gVn_0Xb5q5sACHJ$qpLa@</code> This string looks interesting, a quick google search linked it to a sandbox <a href="https://www.joesandbox.com/analysis/311160/0/html">report</a> which had the malware detected by a YARA rule.</p>
<h2 id="7--the-malicious-process-had-two-pes-injected-into-its-memory-whats-the-size-in-bytes-of-the-vad-that-contains-the-largest-injected-pe-answer-in-hex-like-0xabc">7- The malicious process had two PEs injected into its memory. What’s the size in bytes of the Vad that contains the largest injected PE? Answer in hex, like: 0xABC</h2>
<p>The process had two PEs injected into it, which means there are 2 protected VADs, either <code class="language-plaintext highlighter-rouge">PAGE_EXECUTE_WRITECOPY</code> or <code class="language-plaintext highlighter-rouge">PAGE_EXECUTE_READWRITE</code> and since there’s no dlls required by the executable so it may not have any <code class="language-plaintext highlighter-rouge">FileObject</code>.</p>
<p>Before developing a plugin to extract the VADs, I thought of using the <code class="language-plaintext highlighter-rouge">malfind</code> plugin to get the VADs addresses.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> banking-malware.vmem <span class="nt">--profile</span> Win7SP1x64_24000 malfind <span class="nt">--offset</span><span class="o">=</span><malware_physical_address>
</code></pre></div></div>
<p>Output:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Process: xxxx.exe Pid: xxxx Address: 0x220000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 32, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x0000000000220000 e8 00 00 00 00 58 89 c3 05 29 05 00 00 81 c3 29 .....X...<span class="o">)</span>.....<span class="o">)</span>
0x0000000000220010 f7 01 00 68 01 00 00 00 68 05 00 00 00 53 68 80 ...h....h....Sh.
0x0000000000220020 7b 1c ed 50 e8 04 00 00 00 83 c4 14 c3 83 ec 48 <span class="o">{</span>..P...........H
0x0000000000220030 83 64 24 18 00 b9 4c 77 26 07 53 55 56 57 33 f6 .d<span class="nv">$.</span>..Lw&.SUVW3.
0x0000000000220000 e800000000 CALL 0x220005
0x0000000000220005 58 POP EAX
0x0000000000220006 89c3 MOV EBX, EAX
0x0000000000220008 0529050000 ADD EAX, 0x529
0x000000000022000d 81c329f70100 ADD EBX, 0x1f729
0x0000000000220013 6801000000 PUSH DWORD 0x1
0x0000000000220018 6805000000 PUSH DWORD 0x5
0x000000000022001d 53 PUSH EBX
0x000000000022001e 68807b1ced PUSH DWORD 0xed1c7b80
0x0000000000220023 50 PUSH EAX
0x0000000000220024 e804000000 CALL 0x22002d
0x0000000000220029 83c414 ADD ESP, 0x14
0x000000000022002c c3 RET
0x000000000022002d 83ec48 SUB ESP, 0x48
0x0000000000220030 8364241800 AND DWORD <span class="o">[</span>ESP+0x18], 0x0
0x0000000000220035 b94c772607 MOV ECX, 0x726774c
0x000000000022003a 53 PUSH EBX
0x000000000022003b 55 PUSH EBP
0x000000000022003c 56 PUSH ESI
0x000000000022003d 57 PUSH EDI
0x000000000022003e 33f6 XOR ESI, ESI
Process: xxxx.exe Pid: xxxx Address: 0xxxxxxx
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 29, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x000000000xxx0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x000000000xxx0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x000000000xxx0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000000000xxx0030 00 00 00 00 00 00 00 00 00 00 00 00 b0 00 00 00 ................
0x000000000xxx0000 4d DEC EBP
0x000000000xxx0001 5a POP EDX
0x000000000xxx0002 90 NOP
0x000000000xxx0003 0003 ADD <span class="o">[</span>EBX], AL
0x000000000xxx0005 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0007 000400 ADD <span class="o">[</span>EAX+EAX], AL
0x000000000xxx000a 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx000c ff DB 0xff
0x000000000xxx000d ff00 INC DWORD <span class="o">[</span>EAX]
0x000000000xxx000f 00b800000000 ADD <span class="o">[</span>EAX+0x0], BH
0x000000000xxx0015 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0017 004000 ADD <span class="o">[</span>EAX+0x0], AL
0x000000000xxx001a 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx001c 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx001e 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0020 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0022 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0024 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0026 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0028 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx002a 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx002c 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx002e 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0030 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0032 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0034 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0036 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0038 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx003a 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx003c b000 MOV AL, 0x0
0x000000000xxx003e 0000 ADD <span class="o">[</span>EAX], AL
Process: xxxx.exe Pid: xxxx Address: 0xxxxx
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 55, MemCommit: 1, PrivateMemory: 1, Protection: 6
0x000000000xxx0000 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ..............
0x000000000xxx0010 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0x000000000xxx0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0x000000000xxx0030 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 ................
0x000000000xxx0000 4d DEC EBP
0x000000000xxx0001 5a POP EDX
0x000000000xxx0002 90 NOP
0x000000000xxx0003 0003 ADD <span class="o">[</span>EBX], AL
0x000000000xxx0005 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0007 000400 ADD <span class="o">[</span>EAX+EAX], AL
0x000000000xxx000a 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx000c ff DB 0xff
0x000000000xxx000d ff00 INC DWORD <span class="o">[</span>EAX]
0x000000000xxx000f 00b800000000 ADD <span class="o">[</span>EAX+0x0], BH
0x000000000xxx0015 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0017 004000 ADD <span class="o">[</span>EAX+0x0], AL
0x000000000xxx001a 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx001c 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx001e 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0020 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0022 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0024 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0026 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0028 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx002a 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx002c 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx002e 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0030 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0032 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0034 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0036 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx0038 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx003a 0000 ADD <span class="o">[</span>EAX], AL
0x000000000xxx003c c8000000 ENTER 0x0, 0x0
</code></pre></div></div>
<p>There are three injected VADs, one function and two executables.</p>
<p>The question asked about the largest VAD from the PE VADs so we will get all VAD info using <code class="language-plaintext highlighter-rouge">vadinfo</code> plugin then calculate the size between the start and end.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> banking-malware.vmem <span class="nt">--profile</span> Win7SP1x64_24000 vadinfo <span class="nt">-a</span> <first_PE_VAD_address> <span class="nt">--offset</span><span class="o">=</span><Malware_Physical_addresss>
vol.py <span class="nt">-f</span> banking-malware.vmem <span class="nt">--profile</span> Win7SP1x64_24000 vadinfo <span class="nt">-a</span> <second_PE_VAD_address> <span class="nt">--offset</span><span class="o">=</span><Malware_Physical_addresss>
</code></pre></div></div>
<p>Output:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">************************************************************************</span>
Pid: xxxx
VAD node @ 0xzzzzzzzzzzz Start 0xxxxxxxxxx End 0xyyyyyyyyy Tag VadS
Flags: CommitCharge: 29, MemCommit: 1, PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
Vad Type: VadNone
<span class="k">************************************************************************</span>
Pid: xxxx
VAD node @ 0xzzzzzzzzzzz Start 0xxxxxxxxxx End 0xyyyyyyyyy Tag VadS
Flags: CommitCharge: 55, MemCommit: 1, PrivateMemory: 1, Protection: 6
Protection: PAGE_EXECUTE_READWRITE
Vad Type: VadNone
</code></pre></div></div>
<p>Calculate the size of each VAD (end - start) and the Answer is the largest number of them.</p>
<h2 id="8--this-process-was-unlinked-from-the-activeprocesslinks-list-follow-its-forward-link-which-process-does-it-lead-to-answer-with-its-name-and-extension">8- This process was unlinked from the <code class="language-plaintext highlighter-rouge">ActiveProcessLinks</code> list. Follow its forward link. Which process does it lead to? Answer with its name and extension</h2>
<p>The malware process was unlinked from <code class="language-plaintext highlighter-rouge">ActiveProcessLinks</code> list by making the previous and forward processes point to each other instead of pointing to the malware, but the malware process points to the previous and forward processes.</p>
<p>Let’s start a volatlity shell session</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> banking-malware.vmem <span class="nt">--profile</span> Win7SP1x64_24000 volshell
</code></pre></div></div>
<p>change the current shell context to to the malware process:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">cc</span><span class="p">(</span><span class="n">offset</span><span class="o">=<</span><span class="n">malware_physical_address</span><span class="o">></span> <span class="p">,</span> <span class="n">phyiscal</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span>
</code></pre></div></div>
<p>get the <code class="language-plaintext highlighter-rouge">ActiveProcessLink</code> value of the next process:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">proc</span><span class="p">().</span><span class="n">ActiveProcessLinks</span><span class="p">.</span><span class="n">Flink</span>
</code></pre></div></div>
<p>In many cases, I need to find the process using its <code class="language-plaintext highlighter-rouge">ActiveProcessLinks</code> value, so I developed a plugin to do that.</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kn">import</span> <span class="nn">volatility</span> <span class="p">.</span> <span class="n">plugins</span> <span class="p">.</span> <span class="n">common</span> <span class="k">as</span> <span class="n">common</span>
<span class="kn">import</span> <span class="nn">volatility</span> <span class="p">.</span> <span class="n">plugins</span> <span class="p">.</span> <span class="n">registry</span> <span class="p">.</span> <span class="n">registryapi</span> <span class="k">as</span> <span class="n">registryapi</span>
<span class="kn">import</span> <span class="nn">volatility</span> <span class="p">.</span> <span class="n">utils</span> <span class="k">as</span> <span class="n">utils</span>
<span class="kn">import</span> <span class="nn">volatility</span> <span class="p">.</span> <span class="n">win32</span> <span class="k">as</span> <span class="n">win32</span>
<span class="k">class</span> <span class="nc">GetProcByAcLin</span><span class="p">(</span><span class="n">common</span><span class="p">.</span><span class="n">AbstractWindowsCommand</span><span class="p">):</span>
<span class="s">""" Get ActiveP list T """</span>
<span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span> <span class="bp">self</span> <span class="p">,</span> <span class="n">config</span> <span class="p">,</span> <span class="o">*</span><span class="n">args</span> <span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span> <span class="p">):</span>
<span class="n">common</span><span class="p">.</span><span class="n">AbstractWindowsCommand</span><span class="p">.</span><span class="n">__init__</span><span class="p">(</span> <span class="bp">self</span> <span class="p">,</span> <span class="n">config</span> <span class="p">,</span> <span class="o">*</span><span class="n">args</span> <span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span> <span class="p">)</span>
<span class="bp">self</span><span class="p">.</span><span class="n">_config</span><span class="p">.</span><span class="n">add_option</span> <span class="p">(</span> <span class="s">'Search'</span> <span class="p">,</span> <span class="n">short_option</span> <span class="o">=</span> <span class="s">'t'</span> <span class="p">,</span> <span class="n">default</span> <span class="o">=</span> <span class="bp">None</span> <span class="p">,</span> <span class="n">help</span> <span class="o">=</span> <span class="s">'Ac Point Search For'</span><span class="p">,</span> <span class="n">action</span> <span class="o">=</span> <span class="s">'store'</span> <span class="p">)</span>
<span class="k">def</span> <span class="nf">calculate</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="n">addr_space</span> <span class="o">=</span> <span class="n">utils</span><span class="p">.</span><span class="n">load_as</span><span class="p">(</span><span class="bp">self</span><span class="p">.</span><span class="n">_config</span><span class="p">)</span>
<span class="n">tasks</span> <span class="o">=</span> <span class="n">win32</span><span class="p">.</span><span class="n">tasks</span><span class="p">.</span><span class="n">pslist</span><span class="p">(</span><span class="n">addr_space</span><span class="p">)</span>
<span class="n">T</span> <span class="o">=</span> <span class="bp">self</span><span class="p">.</span><span class="n">_config</span><span class="p">.</span><span class="n">Search</span>
<span class="k">return</span> <span class="n">T</span> <span class="p">,</span> <span class="n">tasks</span>
<span class="k">def</span> <span class="nf">render_text</span><span class="p">(</span> <span class="bp">self</span> <span class="p">,</span> <span class="n">outfd</span> <span class="p">,</span> <span class="n">data</span> <span class="p">):</span>
<span class="n">T</span> <span class="p">,</span> <span class="n">tas</span> <span class="o">=</span> <span class="n">data</span>
<span class="k">try</span> <span class="p">:</span>
<span class="n">ishex</span> <span class="o">=</span> <span class="n">T</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="s">"0x"</span><span class="p">)</span>
<span class="n">ishex2</span> <span class="o">=</span> <span class="n">T</span><span class="p">.</span><span class="n">find</span><span class="p">(</span><span class="s">"0X"</span><span class="p">)</span>
<span class="k">if</span><span class="p">(</span><span class="n">ishex</span><span class="o">>-</span><span class="mi">1</span> <span class="ow">or</span> <span class="n">ishex2</span><span class="o">>-</span><span class="mi">1</span> <span class="p">):</span>
<span class="n">T</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">T</span><span class="p">,</span> <span class="mi">16</span><span class="p">)</span>
<span class="k">else</span> <span class="p">:</span>
<span class="n">T</span> <span class="o">=</span> <span class="nb">int</span><span class="p">(</span><span class="n">T</span><span class="p">)</span>
<span class="k">for</span> <span class="n">i</span> <span class="ow">in</span> <span class="n">tas</span> <span class="p">:</span>
<span class="n">AcLin</span> <span class="o">=</span> <span class="n">i</span><span class="p">.</span><span class="n">ActiveProcessLinks</span>
<span class="k">if</span> <span class="n">T</span> <span class="o">==</span> <span class="n">AcLin</span> <span class="p">:</span>
<span class="k">print</span> <span class="p">(</span><span class="n">i</span><span class="p">.</span><span class="n">ImageFileName</span><span class="p">)</span>
<span class="k">except</span> <span class="p">:</span>
<span class="k">print</span><span class="p">(</span><span class="s">"ActiveProcessLinks is a memory location : use number"</span> <span class="p">)</span>
</code></pre></div></div>
<p>Getting the process name:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">--plugins</span><span class="o">=</span><span class="s2">"plug/"</span> <span class="nt">-f</span> banking-malware.vmem <span class="nt">--profile</span> Win7SP1x64_24000 getprocbyaclin <span class="nt">-t</span> <Fprocess_ActiveLink_value>
</code></pre></div></div>
<h2 id="9--what-is-the-pooltag-of-the-malicious-process-in-ascii">9- What is the pooltag of the malicious process in ascii?</h2>
<p>This question is very interesting.</p>
<p>It can be solved using many methods but the following method is the most interesting one, at least for me.</p>
<p>First you need to know about pool allocation for the page.</p>
<p><a href="/assets/images/CyberDefenders/DeepDive/s1.png"><img src="/assets/images/CyberDefenders/DeepDive/s1.png" alt="2" /></a></p>
<p>Page is structed of:</p>
<ul>
<li><code class="language-plaintext highlighter-rouge">pool_header</code> with size of 0x10 byte.</li>
<li><code class="language-plaintext highlighter-rouge">Optional_header</code> size is deffrent from one to another.</li>
<li><code class="language-plaintext highlighter-rouge">object_header</code> with size 0x30 bytes.</li>
<li><code class="language-plaintext highlighter-rouge">object_body</code> with size of the object type itself.</li>
</ul>
<p>But we need to find the pooltag for the process page which is part of <code class="language-plaintext highlighter-rouge">pool_header</code> struct.</p>
<p>We also need to jump to the <code class="language-plaintext highlighter-rouge">pool_header</code> object (Our method is by subtracting each header size from the physical address of the process).</p>
<p>But first, we need to know what optional header is used on this page, and we can find it from the <code class="language-plaintext highlighter-rouge">object_header</code> struct.</p>
<p>All we know is that our object body on this page is the <code class="language-plaintext highlighter-rouge">Eprocess</code> object and its physical address, so we need to go up by <code class="language-plaintext highlighter-rouge">0x30</code> byte in order to change the context to <code class="language-plaintext highlighter-rouge">object_header</code> struct.</p>
<p>We will start volshell from the malware eprocess object context:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">cc</span><span class="p">(</span><span class="n">offset</span><span class="o">=<</span><span class="n">malware_physical_address</span><span class="o">></span> <span class="p">,</span> <span class="n">phyiscal</span><span class="o">=</span><span class="bp">True</span><span class="p">)</span>
</code></pre></div></div>
<p>Then we will get object header context by going up <code class="language-plaintext highlighter-rouge">0x30</code> byte:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">dt</span><span class="p">(</span> <span class="s">"_OBJECT_HEADER"</span> <span class="p">,</span> <span class="o"><</span><span class="n">malware_physical_address</span><span class="o">>-</span><span class="mh">0x30</span> <span class="p">,</span> <span class="n">space</span><span class="o">=</span><span class="n">addrspace</span><span class="p">().</span><span class="n">base</span><span class="p">)</span>
</code></pre></div></div>
<p>Output:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">[</span><span class="n">_OBJECT_HEADER</span> <span class="n">_OBJECT_HEADER</span><span class="p">]</span> <span class="o">@</span> <span class="mi">0</span><span class="n">xxxxxxx</span>
<span class="mh">0x0</span> <span class="p">:</span> <span class="n">PointerCount</span> <span class="mi">149</span>
<span class="mh">0x8</span> <span class="p">:</span> <span class="n">HandleCount</span> <span class="mi">5</span>
<span class="mh">0x8</span> <span class="p">:</span> <span class="n">NextToFree</span> <span class="mi">5</span>
<span class="mh">0x10</span> <span class="p">:</span> <span class="n">Lock</span> <span class="n">xxxxxxxxxx</span>
<span class="mh">0x18</span> <span class="p">:</span> <span class="n">TypeIndex</span> <span class="mi">7</span>
<span class="mh">0x19</span> <span class="p">:</span> <span class="n">TraceFlags</span> <span class="mi">0</span>
<span class="mh">0x1a</span> <span class="p">:</span> <span class="n">InfoMask</span> <span class="mi">8</span>
<span class="mh">0x1b</span> <span class="p">:</span> <span class="n">Flags</span> <span class="mi">0</span>
<span class="mh">0x20</span> <span class="p">:</span> <span class="n">ObjectCreateInfo</span> <span class="mi">18446738026461179264</span>
<span class="mh">0x20</span> <span class="p">:</span> <span class="n">QuotaBlockCharged</span> <span class="mi">18446738026461179264</span>
<span class="mh">0x28</span> <span class="p">:</span> <span class="n">SecurityDescriptor</span> <span class="mi">18446735964826813854</span>
<span class="mh">0x30</span> <span class="p">:</span> <span class="n">Body</span> <span class="o"><</span><span class="n">malware_physical_address</span><span class="o">></span>
</code></pre></div></div>
<p><code class="language-plaintext highlighter-rouge">InfoMask</code> value is referring to the used optional header.</p>
<p><a href="/assets/images/CyberDefenders/DeepDive/s2.png"><img src="/assets/images/CyberDefenders/DeepDive/s2.png" alt="3" /></a></p>
<p><code class="language-plaintext highlighter-rouge">InfoMask</code> is <code class="language-plaintext highlighter-rouge">0x8</code> so the used optinal header is <code class="language-plaintext highlighter-rouge">_OBJECT_HEADER_QUOTA_INFO</code> and its size is 32 byte.</p>
<p>The <code class="language-plaintext highlighter-rouge">pool_header</code> start pointer is at <code class="language-plaintext highlighter-rouge">malware_physical_address</code> -0x30 -0x10 -0x20.</p>
<p>Now we are ready to get the <code class="language-plaintext highlighter-rouge">pool_header</code> object:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">dt</span><span class="p">(</span> <span class="s">"_POOL_HEADER"</span> <span class="p">,</span> <span class="o"><</span><span class="n">malware_physical_address</span><span class="o">>-</span><span class="mh">0x30</span><span class="o">-</span><span class="mh">0x10</span><span class="o">-</span><span class="mh">0x20</span> <span class="p">,</span> <span class="n">space</span><span class="o">=</span><span class="n">addrspace</span><span class="p">().</span><span class="n">base</span><span class="p">)</span>
</code></pre></div></div>
<p>Output:</p>
<div class="language-python highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="p">[</span><span class="n">_POOL_HEADER</span> <span class="n">_POOL_HEADER</span><span class="p">]</span> <span class="o">@</span> <span class="mi">0</span><span class="n">xxxxxxxx</span>
<span class="mh">0x0</span> <span class="p">:</span> <span class="n">BlockSize</span> <span class="mi">86</span>
<span class="mh">0x0</span> <span class="p">:</span> <span class="n">PoolIndex</span> <span class="mi">0</span>
<span class="mh">0x0</span> <span class="p">:</span> <span class="n">PoolType</span> <span class="mi">2</span>
<span class="mh">0x0</span> <span class="p">:</span> <span class="n">PreviousSize</span> <span class="mi">10</span>
<span class="mh">0x0</span> <span class="p">:</span> <span class="n">Ulong1</span> <span class="mi">39190538</span>
<span class="mh">0x4</span> <span class="p">:</span> <span class="n">PoolTag</span> <span class="n">int_four_bytes_reversed_pooltag</span>
<span class="mh">0x8</span> <span class="p">:</span> <span class="n">AllocatorBackTraceIndex</span> <span class="mi">0</span>
<span class="mh">0x8</span> <span class="p">:</span> <span class="n">ProcessBilled</span> <span class="mi">0</span>
<span class="mh">0xa</span> <span class="p">:</span> <span class="n">PoolTagHash</span> <span class="mi">0</span>
</code></pre></div></div>
<p>Convert the pooltag to 4 byte string in reverse order.</p>
<h2 id="10--what-is-the-physical-address-of-the-hidden-executables-pooltag">10- What is the physical address of the hidden executable’s pooltag?</h2>
<p>You just need to add 4 bytes to the <code class="language-plaintext highlighter-rouge">pool_header</code> physical address.</p>
<p><code class="language-plaintext highlighter-rouge">POOL_HEADER_ADDRESS</code> + 4</p>Mohamed LabibAbout Challenge.Dive DEEEEP2021-10-10T00:00:00+00:002021-10-10T00:00:00+00:00https://detectivestrings.github.io/ctf%20write_up/reverse%20engineering/dfir/Dive_DEEEEP<h1 id="about-challenge">About Challenge.</h1>
<p>Name : Dive DEEEEP.</p>
<p>Level : Hard.</p>
<p>PTS : 900</p>
<p>Description : the plain is very easy and state forward, jump to the kernel, convince it to send the flag to the user, that’s it .</p>
<p>Link : <a href="https://github.com/DetectiveStrings/ASCWGsrc/tree/main/Dive%20DEEEEP">challenge link</a></p>
<p>Files : Challenge cinatins 2 vresions for windows 7 and 10 , each version conatins 2 files , .sys & .exe .</p>
<h1 id="note">Note</h1>
<p>BSOD is kind of hint on the challenge, to find the kernel function which changes in the shared memory with usermod, during the competition I asked the players to do the step which will cause BSOD (%50 to see my friends reaction, %50 to give them the hint)</p>
<p>i will not follow this path on this writeup , ill do the basec steps to follow driver entery</p>
<h1 id="setup-challenge">Setup Challenge</h1>
<p>at the first look at the challenge files, you will find exe called usermod and sys file which is the kernel driver.</p>
<p>we can guess that the kernel is communicating with the usermod to do something.</p>
<p>once we are working with the kernel driver, we have to set the testing machine environment.</p>
<p>start the cmd as admin and enable testing mod by running .</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>bcdedit /set testsigning on
</code></pre></div></div>
<p>then restart the machine.</p>
<p>start cmd as admin again and create the driver</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sc create <driver_name> <span class="nb">type</span><span class="o">=</span> kernel <span class="nv">binpath</span><span class="o">=</span> <path_to_.sys_file>
</code></pre></div></div>
<p><a href="/assets/images/ASCWG/k1.png"><img src="/assets/images/ASCWG/k1.png" alt="1" /></a></p>
<p>now we have the driver created .</p>
<h1 id="usermod">Usermod</h1>
<p>Usermod app is not very important in this challenge you can skip it.</p>
<p>We will start by checking the application behaviour before and after starting the driver.</p>
<h2 id="general-look">general look</h2>
<p>Quickly run the app without starting the driver.</p>
<p><a href="/assets/images/ASCWG/k2.png"><img src="/assets/images/ASCWG/k2.png" alt="2" /></a></p>
<p>the app just show a message and nothing else , it seams to be wating some input from the kernel.</p>
<p>so lets try again after starting the driver .</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sc start <driver_name>
</code></pre></div></div>
<p><a href="/assets/images/ASCWG/k3.png"><img src="/assets/images/ASCWG/k3.png" alt="3" /></a></p>
<p>run the app</p>
<p><a href="/assets/images/ASCWG/k4.png"><img src="/assets/images/ASCWG/k4.png" alt="4" /></a></p>
<p>The app outputs the process id of any newly spawned process.</p>
<p>you can check this by strting new processes and compair its id to the program output .</p>
<p>close the driver .</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sc stop <driver_name>
</code></pre></div></div>
<h2 id="close-look">close look</h2>
<p>lets load the app to ida to check if it can do any auther functions .</p>
<p>to get main function follow start function return .</p>
<p><a href="/assets/images/ASCWG/k5.png"><img src="/assets/images/ASCWG/k5.png" alt="5" /></a></p>
<p>you can fund function takes environment argv, argc as parameters, this function should be the main function.</p>
<p><a href="/assets/images/ASCWG/k6.png"><img src="/assets/images/ASCWG/k6.png" alt="6" /></a></p>
<p>the function start by seting some varuables , and creat shared file handle called <strong>HelloLabib</strong> (Just forgot to rename the registry ) .</p>
<p><a href="/assets/images/ASCWG/k7.png"><img src="/assets/images/ASCWG/k7.png" alt="7" /></a></p>
<p>after loading the handle , it the app checks the shared memory , then load the received data which is being sent using the kernel control function (so in kernel er need to find the control function )</p>
<p><a href="/assets/images/ASCWG/k8.png"><img src="/assets/images/ASCWG/k8.png" alt="8" /></a></p>
<p>the variable inbuffer is the process id, you can know by following the std::cout parameter, you will see v2 is the process id in usermod, and v2 gets its value from inbuffer which is the received data from the kernel.</p>
<p><a href="/assets/images/ASCWG/k10.png"><img src="/assets/images/ASCWG/k10.png" alt="9" /></a></p>
<p>before printing the PID, the app checks if the new PID is 0 or equal to the previous PID, by saving v2 in v1 after the if block.</p>
<p><a href="/assets/images/ASCWG/k11.png"><img src="/assets/images/ASCWG/k11.png" alt="10" /></a></p>
<p><a href="/assets/images/ASCWG/k9.png"><img src="/assets/images/ASCWG/k9.png" alt="11" /></a></p>
<p>Then we move to another if block that checks 2 bytes received from kernel, the condition returns true that means the flag will be decrypted and mixed using received bytes from the kernel and then it will be printed after decryption.</p>
<p><a href="/assets/images/ASCWG/k12.png"><img src="/assets/images/ASCWG/k12.png" alt="12" /></a></p>
<p>the last thing we can get from this exe is the condetion that checks some recived handles bytes , debending on this bytes it will terminate the recived process pid.</p>
<p><a href="/assets/images/ASCWG/k13.png"><img src="/assets/images/ASCWG/k13.png" alt="13" /></a></p>
<p>but from the output message, we can expect a blue screen of death if this condition is true, so we need to be careful will working with the driver.</p>
<p>now we don’t need anything else from the usermod, let’s move to the kernel driver.</p>
<h1 id="kernel">Kernel</h1>
<p>just load the driver to IDA without starting it, we almost can do the analysis statically.</p>
<p>like the usermod , ida will not land you to the read driver entry location , just follow the function return .</p>
<p>you will land in the driver entry loader function.</p>
<p><a href="/assets/images/ASCWG/k14.png"><img src="/assets/images/ASCWG/k14.png" alt="14" /></a></p>
<p>jump to driver entry .</p>
<p><a href="/assets/images/ASCWG/k15.png"><img src="/assets/images/ASCWG/k15.png" alt="15" /></a></p>
<p>The driver starts by creating a registry device and shared memory.</p>
<p>also it set 3 driver objects to point to 3 functions , create call , clos call and control.</p>
<p>we can jump to the control function to findout what happens .</p>
<p><a href="/assets/images/ASCWG/k16.png"><img src="/assets/images/ASCWG/k16.png" alt="16" /></a></p>
<p>the control function takes IRP object as permitted, then changes its structure objects values before completing the request and send it.</p>
<p>so we need where is this struct is being changed or set.</p>
<p>back to the driver entry function , we can find that the api <strong>PsSetCreateProcessNotifyRoutine</strong> is very intersting .</p>
<p><a href="/assets/images/ASCWG/k17.png"><img src="/assets/images/ASCWG/k17.png" alt="17" /></a></p>
<p>according to Microsoft documentation : The PsSetCreateProcessNotifyRoutine routine adds a driver-supplied callback routine to, or removes it from, a list of routines to be called whenever a process is created or deleted. <sub><sup>[1]</sup></sub></p>
<div class="language-c++ highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">NTSTATUS</span> <span class="nf">PsSetCreateProcessNotifyRoutine</span><span class="p">(</span>
<span class="n">PCREATE_PROCESS_NOTIFY_ROUTINE</span> <span class="n">NotifyRoutine</span><span class="p">,</span>
<span class="n">BOOLEAN</span> <span class="n">Remove</span>
<span class="p">);</span>
</code></pre></div></div>
<p>also according to Microsoft documentation about <strong>PCREATE_PROCESS_NOTIFY_ROUTINE</strong> : Process-creation callback implemented by a driver to track the system-wide creation and deletion of processes against the driver’s internal state.<sub><sup>[2]</sup></sub></p>
<div class="language-c++ highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">PCREATE_PROCESS_NOTIFY_ROUTINE</span> <span class="n">PcreateProcessNotifyRoutine</span><span class="p">;</span>
<span class="kt">void</span> <span class="nf">PcreateProcessNotifyRoutine</span><span class="p">(</span>
<span class="n">HANDLE</span> <span class="n">ParentId</span><span class="p">,</span>
<span class="n">HANDLE</span> <span class="n">ProcessId</span><span class="p">,</span>
<span class="n">BOOLEAN</span> <span class="n">Create</span>
<span class="p">)</span>
<span class="p">{...}</span>
<span class="p">);</span>
</code></pre></div></div>
<p>now we know that PsSetCreateProcessNotifyRoutine will throw ppid , pid and creatFlag to PCREATE_PROCESS_NOTIFY_ROUTINE function .</p>
<p>so this is the API we were searching for, according to the usermod output it shows process id.</p>
<p>jump to the PCREATE_PROCESS_NOTIFY_ROUTINE function .</p>
<p><a href="/assets/images/ASCWG/k18.png"><img src="/assets/images/ASCWG/k18.png" alt="18" /></a></p>
<p>the function start by checking if the process is created or terminated by checking the creat flag.</p>
<p><a href="/assets/images/ASCWG/k19.png"><img src="/assets/images/ASCWG/k19.png" alt="19" /></a></p>
<p>then it gets the eprocess object location using the PID and use this eprocess object to get the image name .</p>
<p><a href="/assets/images/ASCWG/k20.png"><img src="/assets/images/ASCWG/k20.png" alt="20" /></a></p>
<p>the next step do a check on parent id , if the ppid is 65537 then it will set byte from the shared struct to 1 ,
then it gets its eprocess object location .</p>
<p><a href="/assets/images/ASCWG/k21.png"><img src="/assets/images/ASCWG/k21.png" alt="21" /></a></p>
<p>then it starts to decrypt some data and write it in a struct to be shared .</p>
<p>befor doing any thing image name it cast the result from RtlunicodeString to char array and save it in dest .</p>
<p><a href="/assets/images/ASCWG/k22.png"><img src="/assets/images/ASCWG/k22.png" alt="22" /></a></p>
<p>then it call function and thraw dest and ather string .</p>
<p>this function is just <strong>strstr</strong></p>
<p><a href="/assets/images/ASCWG/k25.png"><img src="/assets/images/ASCWG/k25.png" alt="23" /></a></p>
<p>So it searches for the word ida or ghidra in the process image name.</p>
<p><a href="/assets/images/ASCWG/k23.png"><img src="/assets/images/ASCWG/k23.png" alt="24" /></a></p>
<p>if it is found it will set a byte in the shared struct to 1, and call a function that contains some strings to inform you that it will cause a BSOD.</p>
<p>if not and the first condition is true, it will start to search for the string <strong>RtlCompareUnicodeString</strong> on the image name.</p>
<p><a href="/assets/images/ASCWG/k24.png"><img src="/assets/images/ASCWG/k24.png" alt="25" /></a></p>
<p>if it’s found, it will set another byte to 1 and the flag should be printed in the usermod app.</p>
<h1 id="idea">IDEA</h1>
<p>the flag will be printed only if the ppid is 0x10001 and process image name contains <strong>RtlCompareUnicodeString</strong> .</p>
<h1 id="exploit">Exploit</h1>
<p>we need to set a process id to 0x10001 using windbg, and make it start the process with the name <strong>RtlCompareUnicodeString</strong> or contain this string in its path.</p>
<p>start the driver</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sc start <driver_name>
</code></pre></div></div>
<p>start usermod app, start windbug as admin and start a cmd process.</p>
<p>get the and eprocess object.</p>
<p>in windbg type</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="o">!</span>process 0 0
</code></pre></div></div>
<p>then search for the last opened cmd process .</p>
<p><a href="/assets/images/ASCWG/k26.png"><img src="/assets/images/ASCWG/k26.png" alt="26" /></a></p>
<p>use</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">dd</span> <Eprocess_address>
</code></pre></div></div>
<p>and start searching for the PID location in this eprocess structure.</p>
<p>or you can search enter net for eprocess struct and search using your version to get the coreect structure .<sub><sup>[3]</sup></sub></p>
<p>in my case the version is bettwen 10.0 and 1607 so the pid location is <eprocess_address> +0x2e8</eprocess_address></p>
<p>to change the pid use</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>eq <Eprocess_address>+<pid_location> 10001
</code></pre></div></div>
<p><a href="/assets/images/ASCWG/k27.png"><img src="/assets/images/ASCWG/k27.png" alt="27" /></a></p>
<p>now rename any process to RtlCompareUnicodeString or create a folder called RtlCompareUnicodeString and add any exe to it.</p>
<p>then start this exe using the edited process.</p>
<p><a href="/assets/images/ASCWG/k28.png"><img src="/assets/images/ASCWG/k28.png" alt="28" /></a></p>
<p>bengooo we got the flag .</p>
<h1 id="resources">resources</h1>
<p><a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nf-ntddk-pssetcreateprocessnotifyroutine">1- PsSetCreateProcessNotifyRoutine </a></p>
<p><a href="https://docs.microsoft.com/en-us/windows-hardware/drivers/ddi/ntddk/nc-ntddk-pcreate_process_notify_routine">2- PCREATE_PROCESS_NOTIFY_ROUTINE </a></p>
<p><a href="https://www.geoffchappell.com/studies/windows/km/ntoskrnl/inc/ntos/ps/eprocess/index.htm">3- EPROCESS </a></p>Mohamed LabibAbout Challenge.WannaCry P1 - Detection & Analysis in Memory2020-02-25T00:00:00+00:002020-02-25T00:00:00+00:00https://detectivestrings.github.io/memory%20forensics/dfir/WannaCryP1<p>Hello all, welcome to the first part of wannacry detection, analysis from forensics perspective .</p>
<p><strong>WannaCry</strong> is ransomware that started its attacks in 2017 targeting Microsoft windows machines and cost the world a lot of money.</p>
<p>I decided to do a full analysis of this malware to sharpen my forensics and malware analysis skills .</p>
<p>the malware main attack is encrypting data, but there is another attack I didn’t cover in my analysis because it targets the SMB in some windows server so it can spread through the network, to do this attack it used an exploit called <strong>Eternalblue</strong> , also the domain that the malware used to download the executable that does this attack did not respond</p>
<h1 id="lab-setup">Lab Setup</h1>
<p>I used windows7X64bit / 500MB RAM on VMware to run the malware sample and allowed it to communicate over the network without using a fakedns or fakenet, then I suspended the vim after 3 minutes of execution .</p>
<p>hero <strong>Volatility</strong> for analysing the memory .</p>
<p>sample hash : 84c82835a5d21bbcf75a61706d8ab549</p>
<p>if you want to try your self you can set up your lab or you can skip the setup part and use my memory_dump .</p>
<p><a href="https://drive.google.com/file/d/1P0YY1cZ9Q_NmwMEKy0voOhzfk6rhISyd/view?usp=sharing">DumpLink</a></p>
<p>dump md5 hash : 8ab0198a80acf83780a47a5f3882eb03</p>
<h1 id="investgating">Investgating</h1>
<p>I use volatility2 so I have to check the image info to get the profile <strong>I don’t have any intentions to move to volatility 3</strong></p>
<p>the image info is <strong>Win7SP1x64</strong></p>
<h1 id="process-check">Process check</h1>
<p>I use volatility psxiew so if there were any kind of hidden processes or rootkits, it can be detected</p>
<p><a href="/assets/images/WannaCry/p1/i1.png"><img src="/assets/images/WannaCry/p1/i1.png" alt="1" /></a></p>
<p>nice, no need to pay effort in finding hidden processes or check process threads to find the malware, we can read the processes names and realize the names of the malware processes, we are not sure for now those are all malware processes but we can be sure that those processes are related to the malware.</p>
<p>the processes are not hidden, but there are some terminated processes, so I will use the psscan to map processes to there parents.
then i’ll use the dot tool to view it in graphical view</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 psscan <span class="nt">--output</span> dot <span class="nt">--output-file</span> psscan.dot
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dot <span class="nt">-Tpng</span> psscan.dot <span class="nt">-o</span> psscan.png
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i2.png"><img src="/assets/images/WannaCry/p1/i2.png" alt="2" /></a></p>
<p>the tree is very large, so we need to zoom in the explorer.exe part as we can find the Wannacry.EXE is a child to explorer.exe</p>
<p>wannacry opened another processes <code class="language-plaintext highlighter-rouge">taskdl.exe</code> and 2 ‘@WanaDecryptor’ one of them opened process ‘taskhsvc.exe’</p>
<p>we can notice process 2752 which is @WanaDecryptor opened 28 seconds later than the other one.</p>
<p>also, there is a terminated <code class="language-plaintext highlighter-rouge">taskdl.exe</code> process in ‘2021-02-22 17:52:52’</p>
<p>so I will check actions for processes 2464, 2752, 2092, ( 2084 is terminated so the expectation is we can’t find too much information )</p>
<h1 id="privileges">Privileges</h1>
<p>after we discovered the malware processes, we can start by checking the privileges for each one
focus on the enabled only.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">--plugins</span><span class="o">=</span>my_plugins <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 privs <span class="nt">-p</span> 2464,2752,2092 | <span class="nb">grep </span>Enabled
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i3.png"><img src="/assets/images/WannaCry/p1/i3.png" alt="3" /></a></p>
<p>it looks there are no important privileges enabled</p>
<p>we need to check the privileges of 2084 also, as its a terminated process we need to specify the memory offset instead of the process id.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">--plugins</span><span class="o">=</span>my_plugins <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 privs <span class="nt">--offset</span><span class="o">=</span>0x000000001e77d2d0
</code></pre></div></div>
<p>but there is no information available, as expected a very large part of its pages may be used for another process or paged in the disk.</p>
<p>to be sure of what happened to it we can do a pool scan</p>
<h1 id="pool-object-scan">Pool Object Scan</h1>
<p>scanning object types is very useful because it gives a flag about each data type location, if it was paged in disk or not, so if we didn’t find some information about nonpaged objects, that means there is something wrong.</p>
<p><a href="/assets/images/WannaCry/p1/i4.png"><img src="/assets/images/WannaCry/p1/i4.png" alt="4" /></a></p>
<p>the process is not a paged object.
so it means that some pages of process 2084 are used on anther process and overridden</p>
<h1 id="handles">Handles</h1>
<p>we didn’t find useful information in processes privileges, so we will check each process handles.</p>
<p>the important handles are files, keys, mutex then we will check the vads if we found any kind of process injection we can go back to handles and follow the threads.</p>
<h2 id="process-2464">Process 2464</h2>
<h3 id="files">Files</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">--plugins</span><span class="o">=</span>my_plugins <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 handles <span class="nt">-p</span> 2464 <span class="nt">-t</span> file
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i5.png"><img src="/assets/images/WannaCry/p1/i5.png" alt="5" /></a></p>
<p>as you can see this process opens several file handles, and there are 2 interesting files
<strong>00000000.eky</strong> which is located on the desktop, in the same path as with the executable.
<strong>hibsys.WNCRYT</strong> this file is located in temp and looks interesting, it doesn’t look like the encrypted files (the encrypted once ends with )</p>
<p>we can dump those files and check the content for any information</p>
<h3 id="key">Key</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 handles <span class="nt">-p</span> 2464 <span class="nt">-t</span> key
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i6.png"><img src="/assets/images/WannaCry/p1/i6.png" alt="6" /></a></p>
<p>I don’t know the function for each key so I can’t decide which key shouldn’t be used or why it used each key.</p>
<p>so the best thing to do is to search all the process to find which process use every single key if we found the key used is not used by any other processor used by all the malware process only or mutual between the malware and important system process, then we can search for the key function and decide is this bad activity or not.</p>
<blockquote>
<p>note: as we saw in the object pool scan keys are paged pool objects so we can’t find all the keys resident in memory, some time I will back to the life system to analyse key values, or to understand the key purpose</p>
</blockquote>
<p>every key described with safe means the exe use them to get system information.</p>
<ul>
<li>
<p>IMAGE FILE EXECUTION OPTIONS : is safe</p>
</li>
<li>
<p>VERSIONS : is safe</p>
</li>
<li>
<p>SESSION MANAGER : is safe</p>
</li>
<li>
<p>MACHINE : is safe</p>
</li>
<li>
<p>CUSTOMLOCALE</p>
</li>
</ul>
<p>it seems to a safe key, as NLS contains some default keys for the system but it can be a remarkable key for the malware processes, as those processes are the only processes that use this key</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code> vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 handles <span class="nt">-t</span> key | <span class="nb">grep</span> <span class="s1">'CONTROLSET001\\CONTROL\\NLS\\CUSTOMLOCALE'</span>
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i8.png"><img src="/assets/images/WannaCry/p1/i8.png" alt="8" /></a></p>
<p>but we can’t get the key values as this hive is resident in memory</p>
<p>so I went back to the machine and look at the key-value but the key doesn’t have any values</p>
<p><a href="/assets/images/WannaCry/p1/i7.png"><img src="/assets/images/WannaCry/p1/i7.png" alt="7" /></a></p>
<ul>
<li>PROPERTYBAG</li>
</ul>
<p>there are 3 keys but located in different hives .</p>
<p>those keys contain some information about the directories on the system.</p>
<p>as expected those keys hives are not resident in memory.</p>
<p>and the malware use keys that map to folders “Common Documents”, “Personal”, “Desctop” and 2 keys point to another key map to “DocumintsLiberary”.</p>
<p><a href="/assets/images/WannaCry/p1/i9.png"><img src="/assets/images/WannaCry/p1/i9.png" alt="9" /></a></p>
<p><a href="/assets/images/WannaCry/p1/i10.png"><img src="/assets/images/WannaCry/p1/i10.png" alt="10" /></a></p>
<p><a href="/assets/images/WannaCry/p1/i11.png"><img src="/assets/images/WannaCry/p1/i11.png" alt="11" /></a></p>
<ul>
<li>APPCOMPATFLAGS</li>
</ul>
<p>nothing interesting on this key also it’s used by many other processes.</p>
<h3 id="mutannt--mutex-">Mutannt / Mutex :</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 handles <span class="nt">-p</span> 2464 <span class="nt">-t</span> mutant
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i12.png"><img src="/assets/images/WannaCry/p1/i12.png" alt="12" /></a></p>
<p>mutex is very important evidence in wannacry case</p>
<p>we cant view all mutexes because its a disk paged objects like keys</p>
<p>but we have the important part her</p>
<p>As you can see, this process uses 2 unique mutexes which are not known on windows.</p>
<blockquote>
<p>Note: in 2017 the DFIR teams used those mutexes to stop wannacry form encrypting data, running PowerShell script to create mutexes with the same name, then they implemented it in some of the very first tools to stop wannacry.</p>
</blockquote>
<h2 id="process-2752">Process 2752</h2>
<p>like what we did in process 2752 we will investegate each process</p>
<h3 id="file">File</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 handles <span class="nt">-p</span> 2752 <span class="nt">-t</span> file
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i13.png"><img src="/assets/images/WannaCry/p1/i13.png" alt="13" /></a></p>
<p>the interesting files objects are :</p>
<ul>
<li>odbcint.dll.mui</li>
</ul>
<p>which is related to odbcint.dll , and it can be used to provide database reading/writing APIs</p>
<ul>
<li>MFC42.dll.mui</li>
</ul>
<p>this dll is related to Microsoft visualStudio, so that means at least this part is written using Microsoft Visual C++ , it can be obfuscated or packed.</p>
<ul>
<li>StaticCache.dat</li>
</ul>
<p>it uses this file to load a font so this may be the process that displays the message</p>
<p><a href="/assets/images/WannaCry/p1/i14.png"><img src="/assets/images/WannaCry/p1/i14.png" alt="14" /></a></p>
<h3 id="key-1">Key</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 handles <span class="nt">-p</span> 2752 <span class="nt">-t</span> key
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i15.png"><img src="/assets/images/WannaCry/p1/i15.png" alt="15" /></a></p>
<p>there are many keys like its parent “Wannacry.exe”.</p>
<p>it has many NLS keys, this may because it needs some information about the local machine time,…., etc.
remember this is the process that counts the time of payment.</p>
<p>the new keys are</p>
<ul>
<li>PROTOCOL_CATALOG9, NAMESPACE_CATALOG5</li>
</ul>
<p>those keys are related to windows sockets and network connection, but this process doesn’t look like it started a network connection, as there are no handles to any network file to setup the sockets.</p>
<h3 id="mutant--mutex">Mutant / Mutex</h3>
<p>this process has only one mutex but it looks like it’s paged to disk</p>
<h2 id="process-2340">Process 2340</h2>
<p>this process is the same executable as the 2752 process but it looks like it has some differences in behaviour , so i will cover only the differences</p>
<h3 id="files-1">Files</h3>
<p><a href="/assets/images/WannaCry/p1/i16.png"><img src="/assets/images/WannaCry/p1/i16.png" alt="16" /></a></p>
<p>as you can see there are 2 new files handles.</p>
<ul>
<li>Endpoint , AsyncConnectHlp :</li>
</ul>
<p>those 2 handles are very important to establish a network connection.</p>
<p>so we can assume this process is doing a network connection, we will be sure when we come to the network part.</p>
<blockquote>
<p>also this process can be the one that shows the encryption message, but when you do a live dynamic analysis of the malware you can see the message box appear after 30~60 second from starting the dropper, but for this process, it starts after 5~10 second, so it can’t be the message box process, we can also check the windows output for the 2 processes and the process that set to the default output strings is not the encryption message process.</p>
</blockquote>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 windows <span class="nt">-p</span> 2340 | <span class="nb">grep </span>Name:
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i17.png"><img src="/assets/images/WannaCry/p1/i17.png" alt="17" /></a></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 windows <span class="nt">-p</span> 2752 | <span class="nb">grep </span>Name:
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i18.png"><img src="/assets/images/WannaCry/p1/i18.png" alt="18" /></a></p>
<p>the time is set in this process so this is the message box process.</p>
<h3 id="key-2">Key</h3>
<p>all the keys are the same as the 2752 process</p>
<h3 id="mutant--mutex-1">Mutant / Mutex</h3>
<p>also this process has only one mutex but it looks like it’s paged to disk .</p>
<h2 id="process-2092">Process 2092</h2>
<h3 id="file-1">File</h3>
<p><a href="/assets/images/WannaCry/p1/i19.png"><img src="/assets/images/WannaCry/p1/i19.png" alt="19" /></a></p>
<ul>
<li>Endpoint , AsyncConnectHlp</li>
</ul>
<p>this process has a network and sockets files handles more than the previous process.</p>
<ul>
<li>
<p>R000000000006.clb
looks to be an interesting handle but unfortunately, this is a system file used by many processes, so for now we cant say it dropped or a harmful file.</p>
</li>
<li>
<p>Roaming\tor\lock</p>
</li>
</ul>
<p>this is the real interesting handle, as the process uses some files from tor .
but wait, the machine didn’t have tor installed.
it may be a dropped file, or just this is a file folder called tor located in the Appdata folder.</p>
<p>we will try to extract this file and check this folder but in other section.</p>
<h3 id="key-3">Key</h3>
<p><a href="/assets/images/WannaCry/p1/i20.png"><img src="/assets/images/WannaCry/p1/i20.png" alt="20" /></a></p>
<p>there are no interesting or new keys.</p>
<p>just the same as process 2464, also it has the network key.</p>
<p>also this process has 3 mutexes but it looks like it’s paged to disk .</p>
<h1 id="network">Network</h1>
<p>from the previous part, we know that the malware has 2 processes that connect throw the network 2340, 2092.</p>
<h2 id="2340-connections">2340 connections</h2>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 netscan | <span class="nb">grep </span>2340
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i21.png"><img src="/assets/images/WannaCry/p1/i21.png" alt="21" /></a></p>
<p>this process establishes a connection to the localhost on port 9050, it looks like searching for something related to the exploitation or just checking something.</p>
<h2 id="2092-connections">2092 connections</h2>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 netscan | <span class="nb">grep </span>2092
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i22.png"><img src="/assets/images/WannaCry/p1/i22.png" alt="22" /></a></p>
<p>nice, as you can see, this process is listening to port 9050, so the private connection was to this process.</p>
<p>also, it dose some connections to the localhost in different ports.</p>
<p>then it starts to send requests to 5 is (each time those ips are different or at least 3, 4 of them ), the only evidence we have to clarify those connections this behaviour is the tor path on AppData folder, if it was the internet application then it means those connections happened to an onion domain so the route is different almost every time.</p>
<h3 id="the-connected-ips">The Connected IPs</h3>
<ul>
<li>94.130.200.167:443</li>
<li>51.81.93.162:443</li>
<li>83.212.99.68:443</li>
<li>204.11.50.131:9001</li>
<li>82.149.227.236:9001</li>
<li>131.188.40.189:443</li>
</ul>
<blockquote>
<p>Note: anyway the domains of wannacry aren’t working now.</p>
</blockquote>
<h1 id="dlls-scan">Dlls Scan</h1>
<p>we need to list all of them , as it may help to discover which API does the malware use or any strange dll used.</p>
<h2 id="2464-wannacryexe">2464 <strong>WannaCry.EXE</strong></h2>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 dlllist <span class="nt">-p</span> 2464
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i23.png"><img src="/assets/images/WannaCry/p1/i23.png" alt="23" /></a></p>
<p>nothing is interesting in those Dlls, it uses only the system DLLs.
also, it contains the exe on the virtual base address 0x400000, with a size of 0x3d000, which means the exe is divided into 61 pages, we hope to find it all in the memory vads.</p>
<h2 id="2340-wannacryexe">2340 <strong>WannaCry.EXE</strong></h2>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 dlllist <span class="nt">-p</span> 2340
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i24.png"><img src="/assets/images/WannaCry/p1/i24.png" alt="24" /></a></p>
<p>nothing is interesting for now in this processes dlls</p>
<h2 id="2752-wannacryexe">2752 <strong>WannaCry.EXE</strong></h2>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 dlllist <span class="nt">-p</span> 2752
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i25.png"><img src="/assets/images/WannaCry/p1/i25.png" alt="25" /></a></p>
<p>nothing is interesting for now in this process dlls, it is the same as the other 2340 except it has a cmd argument <code class="language-plaintext highlighter-rouge">**co**</code></p>
<h2 id="2092-wannacryexe">2092 <strong>WannaCry.EXE</strong></h2>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 dlllist <span class="nt">-p</span> 2092
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i26.png"><img src="/assets/images/WannaCry/p1/i26.png" alt="26" /></a></p>
<p>those are an interesting process dlls , it’s not using only the system DLLs, but also it used some other dlls located on the desktop on the same path where the dropper is, in a folder called TaskData. it looks like this folder is one of the dropped data.</p>
<h3 id="markable-dlls-used">Markable dlls used</h3>
<ul>
<li>
<p>zlib1.dll : it needs this dll in doing compression or decompression (or some kind of unpacking resources ).</p>
</li>
<li>
<p>SSLEAY32.dll : it needs this dll for communication as it was sending requests to ips on port 443.</p>
</li>
</ul>
<p>the other dlls used in encryption, we will look into it in the analysis part because it will take too much to identify each dll used methods and its functions</p>
<p>we can count all those dlls on the Taskdata path part of the IOCS.</p>
<p>we can list all the files on this path and count it with the IOCs, all thesis file are dropped from the malware…</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 filescan | <span class="nb">grep</span> <span class="nt">-i</span> <span class="s2">"Desktop</span><span class="se">\\</span><span class="s2">TaskData"</span>
</code></pre></div></div>
<p>unfortunately those files objects are not resident in memory</p>
<p>let’s look at the AppData Roaming path if we can find any valid information there.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 filescan | <span class="nb">grep</span> <span class="s2">"AppData</span><span class="se">\\</span><span class="s2">Roaming"</span>
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i27.png"><img src="/assets/images/WannaCry/p1/i27.png" alt="27" /></a></p>
<p>but unfortunately, there is no important data except the path we got before.</p>
<p>let’s try to go back one folder and search in all AppData folder, may the malware dropped anything there also.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 filescan | <span class="nb">grep</span> <span class="s2">"AppData"</span>
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i28.png"><img src="/assets/images/WannaCry/p1/i28.png" alt="28" /></a></p>
<p>nice, in the local/temp folder there are many folders with extension WNCRYTows and contain file .db</p>
<p><a href="/assets/images/WannaCry/p1/i29.png"><img src="/assets/images/WannaCry/p1/i29.png" alt="29" /></a></p>
<p>great, there are a lot of databases related to wannacry, the prefix of folders can be used as an IOC , also the file hibsys.WNCRYT</p>
<h1 id="advanced-persistence">Advanced Persistence</h1>
<p>before diving into vads I check some registry keys and check the run key for the user who started and opened the dropper, and guess what I found the malware registered himself on the registry so it will be autorun every time this user login.</p>
<p>the key name is : gvwcegcjpglxe848</p>
<p><a href="/assets/images/WannaCry/p1/i30.png"><img src="/assets/images/WannaCry/p1/i30.png" alt="30" /></a></p>
<p>but you know nothing is called luck, but always there’s <strong>WHY</strong>.</p>
<p>so I decided to trace this action following the time.</p>
<p>unfortunately, the timeline didn’t give me valid information about how did happen, so i wrote a plugin to trace the changes on registry keys.</p>
<p><a href="https://github.com/m0hamed1112/my_vol">GetLastModKey</a></p>
<p>then I used it to list all the registry key changes from the start of wannacry.exe to the end</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">--plugins</span><span class="o">=</span>my_plugins <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 getlastmodkey <span class="nt">-t</span> <span class="s1">'2021-02-22 17:52:20'</span>
</code></pre></div></div>
<p>then I found 2 important information instead of one.</p>
<p><a href="/assets/images/WannaCry/p1/i31.png"><img src="/assets/images/WannaCry/p1/i31.png" alt="31" /></a></p>
<p><a href="/assets/images/WannaCry/p1/i32.png"><img src="/assets/images/WannaCry/p1/i32.png" alt="32" /></a></p>
<p>the malware creates a new registry called WanaCrypt0r contains one key <code class="language-plaintext highlighter-rouge">wd</code></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 printkey <span class="nt">-K</span> <span class="s2">"Software</span><span class="se">\\</span><span class="s2">WanaCrypt0r"</span>
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i33.png"><img src="/assets/images/WannaCry/p1/i33.png" alt="33" /></a></p>
<p>it points to the desktop or the location of wannacry.</p>
<p>we can check if this key injected or used by another process or not.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wannacry.vmem <span class="nt">--profile</span> Win7SP1x64 handles <span class="nt">-t</span> key | <span class="nb">grep </span>WanaCrypt0r
</code></pre></div></div>
<p>nice, there is no process used it , which mean this keys is prepared for another process that will be downloaded or unpacked if the system was valuable or the domain replied.</p>
<p>the second part is, the malware edited the registry key somehow in the same second that taskdl.exe terminated on, it may be related to this edit, or cleared the memory so there will be no evidence for this change except if you called all the keys.</p>
<p>anyway the vads will help us to collect all missing information.</p>
<h1 id="diving-in-vads">Diving in VADs</h1>
<p>VADs will provide us with very important information, by checking them for process injection or even getting data from process memory and heap.</p>
<h2 id="heaps">Heaps</h2>
<p>unfortunately, we can’t directly use the volatility plugin <code class="language-plaintext highlighter-rouge">heaps</code> so we need to check the process headers for _PEB then get the heap number for the process then we can get each heap location and extract the corresponding VAD.</p>
<blockquote>
<p>note: we will not extract all process vads, so it will be easy for us to search for some information as doing this process for all vads including dlls vads will be hard , but for checking processes heaps we can extract the heaps one by one .</p>
</blockquote>
<h3 id="processes-2464">Processes 2464</h3>
<p>we need a volatility shell for this session</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 volshell <span class="nt">-p</span> 2464
</code></pre></div></div>
<p>then we need to get the number of heaps :</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>proc<span class="o">()</span>.Peb.NumberOfHeaps
</code></pre></div></div>
<p>and there are 2 heaps only.</p>
<p>then check the process heaps array of pointers.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>H_Pointer <span class="o">=</span> proc<span class="o">()</span>.Peb.ProcessHeaps
</code></pre></div></div>
<p>now get the 2 pointers by jumping to the array location and count 8 bytes for each one.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>H1 db<span class="o">(</span>H_Pointer , 8 <span class="o">)</span>
H2 db<span class="o">(</span>H_Pointer+8 , 8 <span class="o">)</span>
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i34.png"><img src="/assets/images/WannaCry/p1/i34.png" alt="34" /></a></p>
<p>now we will extract only those 2 heaps</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 vaddump <span class="nt">-p</span> 2464 <span class="nt">-b</span> 0x360000 <span class="nt">-D</span> vadDump2464/
</code></pre></div></div>
<p>this one doesn’t contain important strings, it looks like environment variables .</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 vaddump <span class="nt">-p</span> 2464 <span class="nt">-b</span> 0x10000 <span class="nt">-D</span> vadDump2464/
</code></pre></div></div>
<p>also, this seems to contain environment vars, and some information about its child, we already know</p>
<h3 id="process-2340-1">Process 2340</h3>
<p>it may contain any information as it did kind of network connection.</p>
<p>we will do the same as before
you just need to move to this process object header, you can use <code class="language-plaintext highlighter-rouge">**cc(pid = 2340 )**</code> or use the offset</p>
<p><a href="/assets/images/WannaCry/p1/i35.png"><img src="/assets/images/WannaCry/p1/i35.png" alt="35" /></a></p>
<p>and 2752</p>
<p><a href="/assets/images/WannaCry/p1/i36.png"><img src="/assets/images/WannaCry/p1/i36.png" alt="36" /></a></p>
<p>the same it has 2 heaps
with no important information like before</p>
<h3 id="process-2092-1">Process 2092</h3>
<p>it’s our last hope process</p>
<p><a href="/assets/images/WannaCry/p1/i37.png"><img src="/assets/images/WannaCry/p1/i37.png" alt="37" /></a></p>
<p>nice this process contains 3 heaps, so we hope to find something.</p>
<p>vad 0x10000 and 0x420000 looks like last process except than 0x420000 contains some process names</p>
<p>but 0x20000 contains a strange message, looks like a log message.</p>
<p><a href="/assets/images/WannaCry/p1/i38.png"><img src="/assets/images/WannaCry/p1/i38.png" alt="38" /></a></p>
<p>now we are done with heaps with no valid information except this message.</p>
<h2 id="search-in-vads">Search in VADs</h2>
<p>now we will extract the VADs, and try to narrow our search so we can extract only the VADs with protection level PAGE_READWRITE</p>
<p>but before extracting the vads lets search for any kind of dll injection.</p>
<p>for that, we can use <code class="language-plaintext highlighter-rouge">**ldrmodules**</code> so we can check all dlls linking.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 ldrmodules <span class="nt">-p</span> 2464,2340,2092,2752 | <span class="nb">grep </span>False
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i39.png"><img src="/assets/images/WannaCry/p1/i39.png" alt="39" /></a></p>
<p>the only one that looks injected are that <code class="language-plaintext highlighter-rouge">**dll.mui**</code> but by searching for the <code class="language-plaintext highlighter-rouge">**mui**</code> the results said this file is specialized for each process and each mui is not used by another process, so we can say it’s not a kind of dll injection.</p>
<p>now time to extract what we can extract from vads data for malware processes.</p>
<h3 id="process-2464-1">Process 2464</h3>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 vaddump <span class="nt">-p</span> 2464 <span class="nt">-D</span> vadDump2464/
</code></pre></div></div>
<p>this process is the one that is responsible for creating the registry <strong>WanaCrypt0r</strong> due to the creation time, there was no process except this dropper.
also, it may be responsible for adding to the run key, and it was true we may be not able to find any evidence for the WanaCrypt0r key as it’s very careful about registry keys.</p>
<p>we can start by searching for key modification by searching all vads using the path of the key.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">grep</span> <span class="nt">-l</span> <span class="s1">'Software\\WanaCrypt0r'</span> vadDump2464/<span class="k">*</span>
</code></pre></div></div>
<p>as expected, there is no information about it.</p>
<p>so we can search for any information about the Run key, using the same way or by using the key name.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">grep</span> <span class="nt">-l</span> <span class="s1">'Windows\\CurrentVersion\\Run'</span> vadDump2464/<span class="k">*</span>
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i40.png"><img src="/assets/images/WannaCry/p1/i40.png" alt="40" /></a></p>
<p>it’s found in 3 vads.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>strings vadDump2464/WannaCry.EXE.1e79db30.0x0000000000900000-0x00000000009fffff.dmp vadDump2464/WannaCry.EXE.1e79db30.0x0000000002b80000-0x0000000002c7ffff.dmp vadDump2464/WannaCry.EXE.1e79db30.0x0000000010000000-0x000000001000ffff.dmp | <span class="nb">grep</span> <span class="s1">'Windows\\CurrentVersion\\Run'</span>
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i41.png"><img src="/assets/images/WannaCry/p1/i41.png" alt="41" /></a></p>
<p>it opened cmd to start <code class="language-plaintext highlighter-rouge">reg</code> and add the key (cmd were not found on the processes )</p>
<p>by taking a quick look at those 3 vads we can find those interesting information.</p>
<p><a href="/assets/images/WannaCry/p1/i43.png"><img src="/assets/images/WannaCry/p1/i43.png" alt="43" /></a></p>
<p>it seems to use AES and save something related to it in the dky file.</p>
<p><a href="/assets/images/WannaCry/p1/i44.png"><img src="/assets/images/WannaCry/p1/i44.png" alt="44" /></a></p>
<p>also, it seems to be creat some shell script</p>
<p><a href="/assets/images/WannaCry/p1/i45.png"><img src="/assets/images/WannaCry/p1/i45.png" alt="45" /></a></p>
<p>there are some strings with .wnry at the end, it may be the configuration files or some important files related to the malware</p>
<p><a href="/assets/images/WannaCry/p1/i46.png"><img src="/assets/images/WannaCry/p1/i46.png" alt="46" /></a></p>
<p>it uses taskkill to end some processes like databases instance.</p>
<p><a href="/assets/images/WannaCry/p1/i48.png"><img src="/assets/images/WannaCry/p1/i48.png" alt="48" /></a></p>
<p>and we will find this great information, a 5 onion domains, followed by the like to tor project.
this process is the dropper, so all this data were packed inside it, and it dropped the domains and like to be used by the other processes.</p>
<p><a href="/assets/images/WannaCry/p1/i49.png"><img src="/assets/images/WannaCry/p1/i49.png" alt="49" /></a></p>
<p>the last thing you will find is the names of the files, one of them were on the handles of the processes.</p>
<h4 id="quick-static-analysis-to-the-binary-">Quick static analysis to the binary :</h4>
<p>we can find the binary of the exe on vad 0x400000, we need only to check some strings from it.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>strings vadDump2464/WannaCry.EXE.1e79db30.0x0000000000400000-0x0000000000759fff.dmp
</code></pre></div></div>
<p>you can notice some .wnry and .exe</p>
<p><a href="/assets/images/WannaCry/p1/i50.png"><img src="/assets/images/WannaCry/p1/i50.png" alt="50" /></a></p>
<p>so let’s grep all exes and wnry file names from this process bin.</p>
<p><a href="/assets/images/WannaCry/p1/i51.png"><img src="/assets/images/WannaCry/p1/i51.png" alt="51" /></a></p>
<p>the <code class="language-plaintext highlighter-rouge">wnry</code> looks to be the configuration files and message in many languages.</p>
<p><a href="/assets/images/WannaCry/p1/i52.png"><img src="/assets/images/WannaCry/p1/i52.png" alt="52" /></a></p>
<p>and some exe names that are hardcoded in the bin.</p>
<p>also by doing a quick skimming to the strings you can see this interesting part.</p>
<p><a href="/assets/images/WannaCry/p1/i53.png"><img src="/assets/images/WannaCry/p1/i53.png" alt="53" /></a></p>
<p>we already know about the encryption part and cmd usage.</p>
<p>the new thing is the 3 strange strings, one of them is the bitcoin address the show on the decryption message, so we can assume that the 3 are bitcoin addresses.</p>
<p><strong>icacls , attrib</strong>: it looks to be searching for hidden files and permissions, and also hide something or try to hide something.</p>
<p><strong>WNcry@2ol7</strong>: this is not looking like a random string, it may be the password for the protected packed files.</p>
<h3 id="process-2340-">Process 2340 .</h3>
<p>for this process, we can start by extracting vadinfo to get all the vads with protection level PAGE_EXECUTE_WRITECOPY.</p>
<p>don’t forget to get also the executable vad which is in vad 0x0000000000400000.</p>
<p>we can start by doing this kind of static analysis to the bin.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vol.py <span class="nt">-f</span> wanncry.vmem <span class="nt">--profile</span> Win7SP1x64 vaddump <span class="nt">-p</span> 2340 <span class="nt">-b</span> 0x0000000000400000 <span class="nt">-D</span> vadDump2340/
</code></pre></div></div>
<p><a href="/assets/images/WannaCry/p1/i54.png"><img src="/assets/images/WannaCry/p1/i54.png" alt="54" /></a></p>
<p>it uses the languages wnry files, that had been dropped.</p>
<p><a href="/assets/images/WannaCry/p1/i55.png"><img src="/assets/images/WannaCry/p1/i55.png" alt="55" /></a></p>
<p>also, it tries to remove the VSS.</p>
<p>those are the interesting parts in the bin vad.</p>
<p>by checking the other vads there are only 2 vads that had valid information 0x0000000000090000, 0x0000000000600000, you can find some information we already know like the onion domains, bitcoin addresses and some encryption APIs.</p>
<p>process 2752 is typically the same as 2340 except 2752 had some extra values set like the start and end time of the 7 days.</p>
<h3 id="process-2092-2">Process 2092</h3>
<p>from all information, we found we can say that this process is typically a tor process, but with different names.</p>
<p>it includes some RSA keys and ips also some strings to mention that this is a tor project process.</p>
<p>the string we found on the heap was a kind of check state string.</p>
<p><a href="/assets/images/WannaCry/p1/i56.png"><img src="/assets/images/WannaCry/p1/i56.png" alt="56" /></a></p>
<p><a href="/assets/images/WannaCry/p1/i58.png"><img src="/assets/images/WannaCry/p1/i58.png" alt="58" /></a></p>
<p>also , we can find some requests that had been sent on vads 0x00000000037f0000 and 0x00000000041d0000 .</p>
<p><a href="/assets/images/WannaCry/p1/i57.png"><img src="/assets/images/WannaCry/p1/i57.png" alt="57" /></a></p>
<h1 id="iocs">IOCS</h1>
<p>we had found very useful information we can count some of them as IOCs at least for this part.</p>
<h2 id="mutex">Mutex</h2>
<ul>
<li>MsWinZonesCacheCounterMutexA</li>
<li>MsWinZonesCacheCounterMutexA0</li>
</ul>
<h2 id="registry">Registry</h2>
<ul>
<li>creat : <strong>Software\WanaCrypt0r</strong></li>
<li>add to : <strong>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</strong> with the value <strong>path\to\tasksche.exe</strong></li>
</ul>
<h2 id="files-2">Files</h2>
<p>most of the files are not memory resident so we can’t depend on its hash, we can just get the dropped files name for now.</p>
<ul>
<li>c.wnry</li>
<li>t.wnry</li>
<li>b.wnry</li>
<li>r.wnry</li>
<li>s.wnry</li>
<li>t.wnry</li>
<li>u.wnry</li>
<li>msg/m_bulgarian.wnry</li>
<li>msg/m_chinese (simplified).wnry</li>
<li>msg/m_chinese (traditional).wnry</li>
<li>msg/m_croatian.wnry</li>
<li>msg/m_czech.wnry</li>
<li>msg/m_danish.wnry</li>
<li>msg/m_dutch.wnry</li>
<li>msg/m_english.wnry</li>
<li>msg/m_filipino.wnry</li>
<li>msg/m_finnish.wnry</li>
<li>msg/m_french.wnry</li>
<li>msg/m_german.wnry</li>
<li>msg/m_greek.wnry</li>
<li>msg/m_indonesian.wnry</li>
<li>msg/m_italian.wnry</li>
<li>msg/m_japanese.wnry</li>
<li>msg/m_korean.wnry</li>
<li>msg/m_latvian.wnry</li>
<li>msg/m_norwegian.wnry</li>
<li>msg/m_polish.wnry</li>
<li>msg/m_portuguese.wnry</li>
<li>msg/m_romanian.wnry</li>
<li>msg/m_russian.wnry</li>
<li>msg/m_slovak.wnry</li>
<li>msg/m_spanish.wnry</li>
<li>msg/m_swedish.wnry</li>
<li>msg/m_turkish.wnry</li>
<li>msg/m_vietnamese.wnry</li>
<li>AppData\local\Temp\hibsys.WNCRYT</li>
<li>00000000.eky</li>
<li>00000000.pky</li>
<li>00000000.res</li>
</ul>
<h2 id="executable">Executable</h2>
<ul>
<li>taskhsvc.exe</li>
<li>tasksche.exe</li>
<li>@WanaDecryptor@.exe</li>
<li>taskdl.exe</li>
<li>taskse.exe</li>
</ul>
<h2 id="dropped-dlls">Dropped Dlls</h2>
<ul>
<li>zlib1.dll</li>
<li>libeay32.dll</li>
<li>ssleay32.dll</li>
<li>libssp-0.dll</li>
<li>libevent-2-0-5.dll</li>
<li>libgcc_s_sjlj-1.dll</li>
</ul>
<h2 id="file-handles">File Handles</h2>
<ul>
<li>Windows\SysWOW64\en-US\MFC42.dll.mui</li>
<li>Windows\SysWOW64\en-US\odbcint.dll.mui</li>
<li>Users\user\AppData\Roaming\tor\lock</li>
<li>Windows\SysWOW64\en-US\KernelBase.dll.mui</li>
</ul>
<h2 id="folders">Folders</h2>
<ul>
<li>the\same\path\TaskData</li>
<li>Users\user\AppData\local\Temp"number”.WNCRYTows</li>
</ul>
<h2 id="domains">Domains</h2>
<ul>
<li>gx7ekbenv2riucmf.onion</li>
<li>57g7spgrzlojinas.onion</li>
<li>xxlvbrloxvriy2c5.onion</li>
<li>76jdd2ir2embyv47.onion</li>
<li>cwwnhwhlz52maqm7.onion</li>
</ul>
<h2 id="bitcoin-wallet-addresses">Bitcoin wallet addresses</h2>
<ul>
<li>115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn</li>
<li>12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw</li>
<li>13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94</li>
</ul>
<h2 id="other-strings-and-commands">Other Strings and Commands</h2>
<ul>
<li>icacls . /grant Everyone:F /T /C /Q</li>
<li>attrib +h .</li>
<li>WNcry@2ol7</li>
</ul>
<h1 id="conclusion">Conclusion</h1>
<p>wannacry is ransomware that encrypts the user files on the machine, then asks for 300$ in bitcoin that increases to 600$ after 3 days, and if the victim didn’t pay in 7 days the data will not be retrieved.</p>
<p>the malware starts execution by dropping some files that are packed inside it, those files contain configuration files encrypted in wannacry form, and a bitmap image to set to the background also dropped some dlls that will be used by some of the executables that had been dropped .</p>
<p>Tor is one of the dropped files, it will use its communication to reach some onion domains that are kind of the controllers.</p>
<p>on the same time it checks the states of the system files to find which are hidden and which are not, check the file permission to get all these user files then start to encrypt them.</p>
<p>and it can delete the VSS at some point , we can assume it does that after the end of 7 days end, so it makes your data unrecoverable.</p>
<p>the dropper starts some of the executables that had been dropped like @WanaDecryptor@.exe.</p>
<p>also, the registry takes a part of the cake, and a new registry is added with key-value points to the dropper path and some persistence to do some action, so it can start whenever the user logs in again, by adding one of the dropped executables to a new run key.</p>
<p>in parallel, it starts to search the network for the DHCP server, then starts to search it for eternalblue exploit, so it can spread throw the network.</p>
<p>in the end, it shows the famous decryption message by @WanaDecryptor@.exe asking the victim to pay and display one of 3 bitcoin wallet addresses.</p>
<p>and you have the choice between losing your data or losing your money and data.</p>
<p><strong>THANK YOU FOR READING , I hope you all enjoyed</strong></p>
<p><a href="/assets/images/WannaCry/p1/zend.png"><img src="/assets/images/WannaCry/p1/zend.png" alt="100" /></a></p>Mohamed LabibHello all, welcome to the first part of wannacry detection, analysis from forensics perspective .