Guest User

wannacry DLL ops

a guest
May 13th, 2017
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.01 KB | None | 0 0
  2. *** DLL operations ***
  4. 1] Checks to see if task already running by attempting to open mutex with name MsWinZonesCacheCounterMutexA
  5. If already exists, app exits
  7. 2] Obtains name of current directory.
  9. 3] Reads 780 bytes of information from c.wnry which it expects in current directory. This has
  10. bitcoin and TOR info.
  12. 4] Checks if running as LocalSystem. Sets a flag used later when running @wanadecryptor@.exe
  14. 5] Resolves api from advapi32.dll
  16. CryptAcquireContextA
  17. CryptImportKey
  18. CryptDestroyKey
  19. CryptEncrypt
  20. CryptDecrypt
  21. CryptGenKey
  23. 6] Resolves api from kernel32.dll
  25. CreateFileW
  26. WriteFile
  27. ReadFile
  28. MoveFileW
  29. MoveFileExW
  30. DeleteFileW
  31. CloseHandle
  33. 7] Initializes names of files
  35. 00000000.res - C2 communications
  36. 00000000.pky - Public key used by the ransomware to encrypt the generated AES keys that are used to encrypt the user’s files
  37. 00000000.eky - Encryption key for the t.wnry file which stores the actual file encryption component used by the ransomware.
  38. It is encrypted using the public key that belongs to a private key embedded inside the ransomware.
  41. 8] creates mutex with name MsWinZonesCacheCounterMutexA and sets the security
  42. ACL to allow EVERYONE full access
  45. 9] tries to open 00000000.dky. if available, will import key into Crypto API object.
  46. presumably this would be decryption key from the authors of ransomware..
  49. 10] if cannot open *.dky file, will generate new RSA key pair of 2048-bits.
  50. Public key is exported as blob and saved to 00000000.pky
  51. Private key is exported as blob and encrypted with ransomware public key before being saved to 00000000.eky
  53. The RSA public key used to encrypt the users RSA key pair is embedded inside the DLL.
  55. unsigned char wc_key1[] =
  56. {
  57. 0x06, 0x02, 0x00, 0x00, 0x00, 0xA4, 0x00, 0x00, 0x52, 0x53,
  58. 0x41, 0x31, 0x00, 0x08, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
  59. 0x75, 0x97, 0x4C, 0x3B, 0x84, 0x46, 0xDE, 0x2C, 0x2A, 0xF4,
  60. 0x95, 0xA8, 0x5D, 0xC0, 0xCD, 0x6D, 0xDA, 0xD7, 0xD4, 0x92,
  61. 0x1E, 0x13, 0x82, 0x34, 0x6A, 0x70, 0x8D, 0x8F, 0x7C, 0xF7,
  62. 0x04, 0x92, 0x55, 0x7F, 0xF1, 0xA2, 0x27, 0xB2, 0x9E, 0x41,
  63. 0xAC, 0x90, 0x80, 0x91, 0x18, 0x93, 0xC2, 0xB1, 0x7B, 0xAD,
  64. 0x2B, 0xF3, 0xFF, 0xAF, 0xDB, 0x2B, 0x51, 0xBE, 0x1D, 0xA3,
  65. 0x27, 0xE3, 0xA7, 0x57, 0x08, 0x5A, 0xBE, 0xC1, 0x1D, 0xF6,
  66. 0x04, 0xF8, 0x1C, 0xBE, 0x5B, 0xB1, 0x67, 0xFB, 0xE4, 0xC8,
  67. 0xDA, 0x75, 0x00, 0x70, 0xB1, 0x17, 0x70, 0x24, 0x6C, 0x09,
  68. 0x63, 0x74, 0xAC, 0x4B, 0x0A, 0x1D, 0x71, 0xAE, 0x7F, 0xAE,
  69. 0x65, 0xB8, 0xC5, 0x86, 0x79, 0xC5, 0x7E, 0x9F, 0x98, 0x60,
  70. 0x4C, 0x52, 0xB9, 0x29, 0x62, 0xCB, 0x23, 0x29, 0xED, 0x31,
  71. 0x91, 0x74, 0x7B, 0x7B, 0x0B, 0x26, 0x1B, 0xF2, 0x7D, 0x67,
  72. 0xBF, 0xDA, 0x7A, 0x40, 0xDA, 0xF2, 0x61, 0x4D, 0x94, 0xA5,
  73. 0x7D, 0xAD, 0x59, 0x6B, 0xAD, 0x9E, 0xA3, 0x3A, 0x39, 0xC6,
  74. 0x5B, 0x6E, 0x9F, 0xD2, 0xBB, 0x36, 0xB5, 0xF5, 0xD2, 0x65,
  75. 0xF5, 0x2C, 0x30, 0xD8, 0xC1, 0x17, 0xBD, 0xAF, 0x28, 0x00,
  76. 0x96, 0x20, 0x46, 0xA7, 0x2D, 0x62, 0x03, 0x0C, 0xD7, 0xD0,
  77. 0x75, 0xA0, 0x0B, 0x07, 0xEA, 0xD4, 0x1F, 0xCA, 0xE8, 0xD9,
  78. 0x4E, 0xDB, 0x38, 0xF2, 0x26, 0x75, 0xCB, 0x12, 0xA6, 0x88,
  79. 0x70, 0x9B, 0xE1, 0xEA, 0x32, 0xDC, 0xF8, 0x71, 0x72, 0x50,
  80. 0x41, 0xE6, 0x17, 0x81, 0x68, 0x27, 0x42, 0x8E, 0xDF, 0xE5,
  81. 0xDE, 0xA1, 0x72, 0xD9, 0x3B, 0xFB, 0xE5, 0x9D, 0x30, 0x11,
  82. 0x69, 0x92, 0xCD, 0x60, 0x2B, 0xE2, 0xD5, 0x46, 0x3C, 0x28,
  83. 0xCF, 0x9D, 0x30, 0x4A, 0xF7, 0xAD, 0xB9, 0xFB, 0x0F, 0x91,
  84. 0xFE, 0x2E, 0xBE, 0x18, 0xF1, 0xCE
  85. };
  87. The AES-128 key generated for each file is derived from CryptGenRandom which
  88. is cryptographically secure and is not known to have any weakness.
  90. The AES keys are encrypted using the users public key in *.pky.
  91. In order to decrypt, we need the users private key which is
  92. encrypted using a public key owned by the ransomware authors.
  94. Presumably what authors do is decrypt the users private key in *.eky file
  95. using their private key and then send the user a *.dky file
  96. to decrypt files.
Add Comment
Please, Sign In to add comment