You are dealing with real malware samples

Don’t expose them to internal networks or internet

Analyze them in a controlled environments (sandboxes)

We are not responsible for any consequences of damage if you fail to obey the rules

Identify rogue processes Analyze process DLLs and handles Review network artifacts Look for evidence of code injection Check for signs of rootkit Dump suspicious processes and drivers

strings peinfo pestudio virustotal

As we can see terminated processes taskdl.exe, taskse.exe along with parent process PID 1940

tshark -T fields -e ip.src -r dump.pcap | sort -u

gx7ekbenv2riucmf.onion

gx7ekbenv2riucmf.onion

57g7spgrzlojinas.onion

xxlvbrloxvriy2c5.onion

76jdd2ir2embyv47.onion

cwwnhwhlz52maqm7.onion

This post explains the memory dump analysis of WannaCry infected system using volatility (An open source memory forensics framework) and other open source tools. It doesn't cover the analysis of initial infection vector, propagation and recovery of infected system. The objective is to leverage memory forensic analysis to uncover and extract Indicators of Compromise (IoC)WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a ransomware program targeting the Microsoft Windows operating system. On Friday, 12 May 2017, a large cyber-attack using it was launched, infecting more than 230,000 computers in 150 countries, demanding ransom payments in the cryptocurrency bitcoin in 28 languages.The attack has been described by Europol as unprecedented in scale.sha256sum: 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022csha256sum: 76e8be1a3761878325fdff39a5ab1ff84922a0b18947e5268dd9175795ad2bf0Sample: https://mega.nz/#!Au5xlCAS!KX5ZJKYzQgDHSa72lPFwqKL6CsZS7oQGbyyQrMTH9XY Six-step investigative methodology by SANS ( digital-forensics.sans.org/media/Poster-2015-Memory-Forensics.pdf Since the binary is available, it would be always good to do a quick static analysis to identify any malicious indicators or abnormal characteristics. Below mentioned tools can be handy to do a quick static analysisStrip the strings of binary using strings toolThe only one URL with unknown strings in it was found and later discovered it as a killswitch. Wana Decryptor infects systems through a malicious program that first tries to connect to an unregistered web domain. The kill switch appears to work like this: If the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack. Later security researcher from MalwareTech found and activated the kill switch by registering the web domain and posting a page on itThe above indicators says that wannacry can drop binaries on the fly to run different tasks on system and let's hope to see these process in the upcoming memory analysis.we can see few more interesting strings related to Mutex creation on on infected system and also granting or modifying discretionary access controls on infected system. A strange password type of string 'WNcry@2ol7' could also be spottedA further deep dive into strings shows various files with .wnry extension. A Dynamic analysis can only help understand these files.Let's assume that now we have only memory dump in hand and no more evidence of Indicators of compromise available. Using Volatility we can uncover memory resident artifacts and reconstruct the timeline of activities done on infected system. Start with volatilityRuncommand look at running processes at the time of acquiring memory. It's always good to have knowledge of native windows related processes so that the other processes can be easily identifiedPID 1940 initiated PID 740 and both processes look completely strange and also tasksche was spotted in strings of wannacry binary. Runningplugin will also list all processes including terminated processes, which can help us identify process hierarchy and the timeline of creationand if we sort process creation time usingIt would be easy to understand timeline of process creation Below unknown processes can be considered as suspiciouslooking at the order of process creation taskse.exe process was created before taskdl.exe process but still no idea of what these processes do. Below are the results of famous search engines about these processesThese samples were already analyzed by giant threat intelligence and AV vendors but, in reality lot of new indicators can be uncovered in short time when it comes to unknown threatsRunplugin to identify process DLLs and path where the process has executed from, this can give clear understanding of malicious processes if they are run by dropped binaries in uncommon folders.Identify the path of the binary for process tasksche.exe which clearly looks uncommon and suspicious. It's recommended to look at the DLLs loaded to understand the characteristics of the process like encryption,regstriy modification and socket creation etc.Process @WanaDecryptor@ with PID 740 also uses the same path of process tasksche.exe. Based on DLLs loaded by @WanaDecryptor@ process, it can perform socket creation (Ws2_32.dll), high level network communications(WININET.DLL), querying registry(ADVAPI32.DLL), encryption (SECURE32.DLL) and interacting with browsers (URLMON.DLL)like internet explorer etc.Looking at the handles of PID 1940, It has created a mutex (Mutexes have long been used by malware authors to prevent more than one instance of the malware running on the same machine. An old anti-malware trick consists in the creation of a specific mutex, to prevent the execution of a specific malware) named ''MsWinZonesCacheCounterMutexA''A quick search for this mutex on google givesMutex "MsWinZonesCacheCounterMutexA" can be one of IOCs for identifying infected systems. Like mutex as one of types of handles for any process, volatilityplugin can also identify File, Key, Event, threads and port type of handles for any process. A quick look at files accessed by PID 1940It's recommended to look at Key handle type for any process which can give any insight about registry changes by that process. Below are Key type of handle for process PID 740No persistent mechanism was found yet, it can be identified byplugin by accessing Run, Runonce, Winlogonkeys, BootExcuteKey, startup folders and services keyNetwork related artifacts can be identified byplugin for active connections andplugin for terminated connectionsSadly, no connections were found. Since memory dump can also hold some network connections, we can use data carving toolto extract network connections from memory . volatilityplugin can also extract pcap from memory dumpThe extracted pcap was opened in wireshark to see any killswitch related domain name and other netowrk connections. Unfortunately there was no killswitch found in this pcap (extracted from memory) except few unknown remote IPs.Usingall IPs from pcap are extracted to text file and further can be used as Indicators of compromiseThe killswitch was found in pcap that was captured while wannacry infecting the system and download link is available belowPcap: https://mega.nz/#!h6oCBbYS!TV46RntkpyZaPZYaSpir3iutOQLBZvm4xf4t84enuHM sha256sum: 88088077d67bd10dbc1d4bd1c240ad1a7f6c0b251bc22bcc2c6b52eba9142d2bAs per wannacry's author killswitch mechanism, the system was infected further as domain was not resolved and unreachable. In this pcap, number of unknown hosts were foundAll IPs were copied to a text file usingand can be treated and used as automated indicators of compromiseMemory resident files can be searched usingplugin and can be dumped usingplugin. While looking for specific folder of the tasksche.exe , interestingly all files related to ransomeware were found at one location in folder ivecuqmanpnirkt615These files cab be dumped using respective physical address of the file usingplugin by specifying -Q option.Further analysis like static, dynamic or reverse engineering of these extracted binaries can give lot insights about ransomware mechanism. We can also dump a desired file for further analysis and hashes of these files can be used as indicators of compromise for further detection enginesInteresting strings were found in @WanaDecryptor@.exe binary likes.wnry,f.wnry, c.wnry, messages related to payment, how to use bitcoins, APIs realted to encryption and deletion of volume shadow copies of victim.Below strings were found in @WanaDecryptor@ binary. The files with extension must be downloaded and checked to understand the characteristics of the binary.It's always recommended to dump memory address space of processes to check for suspicious entries in process memory rather on solely focusing on binary itself.The volatility pluginwas used to dump the address space of @WanaDecryptor@ and taskssche.exe processes to for any indicators Looking at the stings of process tasksche.exe (PID 1940), it was found that tasksche.exe started @WanaDecryptor@ process with command line argumentsFurther anlsysis of strings revealed about how ransomware run @WanaDecryptor@ process using script of operations, setting up registry key for itself in Run key for persistence mechanism and killing few servies like DB, MS Exchange etc .Looking at the strings of @WanaDecryptor@ (PID 740) process dump, It was found that the malware use TOR hidden services for command and control. The list of .onion domains inside is as followingThe onion domains are as follows