Wanna Cry

Mar 04, 23

References

  • PMAT LABS
  • Wanna Cry

Challenge Questions

Record any observed symptoms of infection from initial detonation. What are the main symptoms of a WannaCry infection?

  • Main systems of the wannacry malware is encrypting your files, window shows up timer, bitcoin address, timer.

image

Use FLOSS and extract the strings from the main WannaCry binary. Are there any strings of interest?

image

image

image

  • First Screenshot shows URL.
  • Second Screenshot shows Shares that Wannacry is trying to contact.
  • Third Screenshot shows different languages when user is infected the Ransomware message will change to that specific language.

CAPA(MITRE ATT&CK FRAMEWORK)

image

  • CAPA Specifies what techniques that WannaCry uses maps MITRE ATT&CK FRAMEWORK.

Inspect the import address table for the main WannaCry binary. Are there any notable API imports?

image

  • Crypto imports will encrypt your workstation that you are currently using.

What conditions are necessary to get this sample to detonate?

  • The Conditions are that if Wannacry sees that there is a internet connection. It will close the application and delete itself from disk.
  • You can’t run INET SIM to fake a internet connection.

Network Indicators: Identify the network indicators of this malware

image

  • Scans a List of IP Addresses ( WORM ).

image

Host-based Indicators: Identify the host-based indicators of this malware.

image

image

image

Use Cutter to locate the killswitch mechanism in the decompiled code and explain how it functions.

  • Used DBG So i can change the instructions when the program is actually running.
  • Find the URL Set Breakpoint image
  • Change Test edx edx zf to 1