Possibly a lazy attempt at avoiding raising suspicion. The description is a little weird, it’s calling itself Microsoft Disk Defragmenter. The first step I take in approaching any unknown, untrusted, or malicious program is to load it up into PeStudio, a static malware-analysis tool made by Winitor.įrom here I can derive some basic information about the executable, and form some early opinions on what the malware may be doing.įrom this first look at the malware, we get some preliminary details such as the hashes, the magic bytes, level of entropy, the complier signature, and more. But I enjoyed ripping this apart so much that I feel like I have to share anyway.
My analysis will not uncover anything new, or reveal hidden secrets. Many many people have discussed WannaCry’s internal workings since the initial outbreak. I had shown some mild interest in the course a couple of months prior, but what finally pushed me to enroll was a tiny bit of information I learned from someone in the course one of the labs walks you through analyzing WannaCry. Those posts made me want to learn to reverse engineer malware.įast forward about three and a half years and I find myself enrolled in eLearnSecurity’s “Malware Analysis Professional” course. I was astounded by how these people could point out which bits of disassembled code did what. But for some reason, on this night in particular, probably due to the sheer size of the outbreak, these Twitter posts piqued my curiosity more than normal. At this point in time I had barely even really started Pentesting With Kali linux and such things were beyond me. In particular, I saw lots of posts on Twitter from malware analysts, with lots of screenshots of debuggers, disassemblers, and other things that at the time, I didn’t really recognize. I explain that we already have arrangements in place and that we don’t just hurl patches onto servers without vetting them first.Īs the night goes on I start keeping tabs on the outbreak, reading news articles, looking at the non-stop flow of new information on social media. My desk phone rings and it’s a security analyst working for one of the datacenter’s tenants, asking us to immediately apply patches to all their servers for the EternalBlue vulnerability because of the WannaCry outbreak.
I was working night shift in a datacenter on the Windows server team. 17 February 2021 Malware Analysis - Wannacry
0 kommentar(er)
