Reversing WannaCry Part 1 - Finding the killswitch and unpacking the malware in
Вставка
- Опубліковано 15 жов 2024
- Part 2 is out! • Reversing WannaCry Par...
In this first video of the "Reversing WannaCry" series we will look at the infamous killswitch and the installation and unpacking procedure of WannaCry.
Twitter: / ghidraninja
Links:
Interview with MalwareTech: / s3-episode-11-wannacry...
MalwareTech's blogpost about the killswitch: www.malwaretec...
Further reading
Wikipedia: en.wikipedia.o...
LogRhythm Analysis: logrhythm.com/...
Secureworks Analysis: www.securework...
Reverse engineering enhances the understanding of both programming thought and skills. This video is easy to follow, and the main techniques of reverse engineering are shown clearly, which makes me want to decompile a small interesting program to analyze it.
安笑生 yeah we can learn programming from reverse engineering stuffs
你好同志
lol
@@wanderingpalace 安笑生
@@wanderingpalace i love xi jinping's huge cawk
@@wanderingpalace no you absolutely can't
Looks like Ghidra is a very good renaming tool!
I prefer ollydbg 2.01 or x64dbg for 64 bit, ghidra makes really easy the reverse process, can get a source code... I prefer analyze asm instructions one by one for understand fully process but this isn't the best stategy.. one by one can take you a lot of time i use call stack window for locate specific part i want to analyze!
@@vladysmaximov6156 keep us posted mate
@@vladysmaximov6156 weird flex but ok
@@vladysmaximov6156 I tried out ghidra and improved my performance like 10 times (mainly due to being shit in reading asm fast).
@@vladysmaximov6156 You absolute pleb. Version 1.10 or GTFO.
I'm a vegetable that doesn't understand anything but this was an interesting video
@@ayylmaoglow
takes one to know one! unless you're a reptilian
read the book Code by Charles Petzold. You will understand how the CPU and assembler works even if you are a total noob. After that you will automatically understand how programming languages work, reverse engineering too and so on.
@Rajath Pai trust me. Petzold is a guru
@@ThisDaveAndThatJohn code by charles petzold?
Ok BOOMER
Wow that was probably one of the best descriptive reverse engineering videos I've seen to date. Your method of explaining and showcasing each step in each function is fantastic and even explaining how to identify when disassemblers/decompilers mess up and how to fix them.
Bravo. I'm upset that I waited this long to actually start watching these videos.
Fully agree, amazing video! Simple step by step explanation is excellent!
I didn't understand anything of what you did, but the casualness of explaining something so exoticly complicated drew me in.
"Microsoft security center (2.0) sevice" LMAO
You know too many things. You explain it too casually like it's food lmao.
This guy be like:
Ok, let me present you my house.
hijacking this to say WE NEED PART 2
Inserts his too powerful(smart) to be kept alive meme*
looks pretty standard to me
Plot twist: he is the hacker who made wanna cry
marv b first 20 minutes is really basic stuff. Its just general reversing and assigning names
Love this! Please create a series of Reverse Engineering Basics!
Yes
Just gotta learn GDB, Radare, OllyDBG for Windows, and assembly. And even then the assembly is the part that while takes the longest isn't too bad once you get used to it.
Oh and IDA / Binary Ninja are good too.
I understood everything except for the renaming parts. Meaning i did not understand a thing. Cool vid tho, you've earned a sub!
Reading the WannaCry warning, the creaters were real lads, providing multiple languages, information about BitCoin and a contact method.
They just sound incredibly kind.
tbh, i think they knew that they would affect millions of devices. humble people
Kind, maybe not, but they were reasonable. Do as we ask and we promise all will be well. And see we have written in clear language what we want you to understand. Give us the money and have a nice day 😊
professionals have *standards*
cant get money from someone who cant understand what they are reading
@@kahlzun Investigations show that this was most likely an attack by the North-Korean Government-Controlled Lazarus hacking group to fund nuclear programs and Fatass Jong Un's Sanction-Bypassing Goldschlager run. Eh, probably not Goldschlager. The fatass is probably going for something more expensive.
Ghidra ninja:The function is very simple
Me:
The thing that blew my mind the most, was the list of language translations you found in the passworded zip. Made me realize how much they really scaled this thing to take on the world. Absolute savage. Who ever did this was well organized. Do you ever wonder if they watched this video?
they make locale translators for batch translating, prob took them about 5 minutes to translate all locales. The least impressive part
@@hiddenaether then why hide it with such levels of encryption? it would be easy to just use english, but instead they have the ambition to take on the world.
WannaCry: exists
Ghidra: im about to end this mans whole carrer
what the H E C C is a carrer
@@xyphoes345 it's a carrer
@@glowingone1774 isnt it meant to be a *career* tho
@@xyphoes345 no this is much different.
but wannacry isnt a man
Just wow. Impressive job! I hope you are employed by one of the major tech/AV companies.
Very interesting and complete video, first time I watch a reversing engineering video and I love the way you investigate and explain what you do. It's the first video of your channel I see and I love it. Keep going !
everyone: try not downloading files from entrusted places!!!
Ghidra: let's unpack the malware !
@starshipeleven He could use a VM.
What is an entrusted place?
starshipeleven presumably you download the sample from within the VM, then disable the Ethernet adapter that gives the VM Internet access to prevent worms from going through the connection.
starshipeleven forgot about that option, thanks for reminding me.
Just something that scares me :
They are easy accessible websites to download loads of virus to try antivirus and understanding how they work ?
I hope they tell the user several warnings before sending the file
I am currently doing my bachelor in Computer Science and didn't know this reverse engineering even existed!
Very cool and very nicely explained. Showing the keyboard output is also a nice addition of you! Thanks :)
RubenCO what language is this in?
@@elijahburnham7882 The left side of Ghidra is x86 Assembly and the right side is C.
@@Slenderman63323you need low level knowledge to be able to do stuff like this since the c code that is outputed is very low level
That was very insightful! I'm a software developer/architect for 17 years now and I must say that you have a very nice way to tell details and to guide your audience. thank you very much!
for the follow up video I would like to see the "physical" impact of the malware, like show the registry-key or the installation folder to make it more understandable for non-developers.
I have a few questions. I've done vb coding for years, but more as a supplement to my other work loads, I'm not a full blown dev.
First, what was so hard about spotting the kill switch? There must have been a lot of the best devs looking at this code globally for 4 days, the guy who killed it even did that on accident.
Secondly, and I'm not advocating for better viruses, but would a kill switch that the owner had exclusive controle over not be possible? They went to great lengths coding this but left the kill switch free for anyone to use.
This was SUPER interesting and well made, please continue! You left us on a cliffhanger!
Ghidra: *does windows reverse engineering in iOS*
Windows: "Am I a joke to you?"
macOS*
@@rohitas2050 woops
more like Reclass: Am I a Joke to you ?
@@Elffi LOL
I am just happy that there are people out there who understand stuff like this! 😅
UA-cam algo has done it again. Could understand probably 1% of what was talked about, but it seemed very interesting. Subscribed!
first time i watched this about 2 year ago and i was a simple java programer
now i am a c/c++ programming working at a hardware developing company and i just watched this again
that was awesome , i finally understood what was u talking about , i am always checking u tube for part 2 please upload it i am tried :)
I'm so happy that UA-cam recommended this video to me. Keep up the good work! Waiting for part 2..
Hopefully tomorrow :) life has been busy
Nice tutorials man! Maybe some basics for reverse engineering video's in Ghidra would be great as well! Like explaining how the system works and what each action truly means :). But it's great :) Can't wait for the next one.
I honestly didn't understand a single thing but I still appreciate the video, so thanks for sharing this.
I wonder who was behind the attack. It pisses me off there was nothing I could do to help when it happened to my relatives.
It might be finger pointing, but the US, UK, and Australia claimed that North Korea was behind the attack.
@@fatfr0g570 they formally asserted its origin as North Korea, the only 2 instruction pages not machine translated were english and chinese. more interestingly, the developers computers had Korean font families installed and build stamps indicated their timezone.
Abra, Kadabra, Alakazam,
You now possess a new subscriber,
Simsalabam.
First time UA-cam recommended me something amazing. 😀
subbed, 22 minutes passed like a breeze
Using an open source reversing platform like Ghidra, everyone could potentially come closer to the reversing world. Oh what if I could be some years younger..
what do you mean years younger
@@Decentsito I'm too old to start studying in depth reversing, now.
No one is too old to learn.
@@freeweed4all how old are you?
@@UCnPE-cqd00o5SHPn0rHxphg thanks for the support. I made a choice some years ago, leaving netsec to start studying at University a totally different thing: knowing today how this sector is growing, maybe my choice wasn't the right one. Today, with these excellent resources, is far more easy to fill the gap with skilled reversing ppl: some years ago they appear like a part of a niche, like an out of reach status. This effect is an outcome of how much the reversing job offers are growing (US government choice about Ghidra isn't random).
I used the GNU debugger to reverse engineer some stuff, but with more complex programs it gets harder, this seems make things more agile and clear
Might be just Ghidra making it seem too easy 😃
Amazing video, very good to follow and it helped me a lot with some frustrating 'features' in Ghidra. I found I was using the disassembler window more than the decompilation window because of weird decompilation results - you helped me understand getting better decompilation results by adjusting Ghidra's interpretation of some code.
Thanks!
That's awesome to hear, thank you! Feel free to let me know what else you have trouble with, maybe it's something I can feature in the future
@@stacksmashing I'll be sure to comment it when I find more stuff, but seeing you work already solves a lot of problems!
@@stacksmashing greaat tut, can please explain if possible im chrome devtools save the changes i make in offline? i want change a pwa web worker app that works online and offline but the changes i made nolt save when i restart the app, exist any trick to save?if i not save i only get the cache of pwa app and not possible open and edit i think, thanks
Looks good want to see the following episode. Reverse engineering seems pretty fun.
I came across your channel shortly after downloading Ghidra. I appreciate how you clearly detail your train of thought in each video. I hope to see more!
Fantastic Video, I hope to see more both on wannacry and other things soon. As an embedded SW guy looking to get into RE this was great.
I thought it was a long time before the kill switch was actually discovered, but it seems here that you uncovered the url 5 mins into the video. Is it really that easy or is it much harder than it looks?
I don't really know what's going on because Im noob but these videos are cool, this is the best and practical approach I've seen I think, loving it and subbed immadietely, good commentary, step by step. Waiting for more.
I am looking forward to the next video. (Should you encrypt the copy of Wannacry on your website using the AES key in your previous video? That would protect script kiddies from themselves and create a nice easter egg/crackme challenge?)
I have no idea what's gong on here, but I'm straining to understand. Great video!
Interesting and good video. Reverse engineering and programming isn't really my thing and a lot of it is going over my head. But it's an interesting and informative video none the less. Waiting to see part 2!
I wouldn't mind doing that for a living. It seems like the sweet spot between meditative focus, puzzle solving, and education.
Trust me, it gets old fast.
@@Slenderman63323 Nahh, things are constantly changing which keeps it interesting. Unless you dont know what youre doing or looking at then yeah, I could see it getting "old fast"
Wow... as difficult as all this sounds, I'm a new security enthusiast, so I'm still learning. I was able to understand and somewhat follow what you were doing. kudus.
Subbed instantly.Cant wait for another episodes.
Would love to see a tutorial on TP-Link router firmware RE or firmware with similar architecture, reverse engineering and rebuild of the firmware. Love your videos so far.
Man, I used to debug exe using ollydebug and you are taking it to another level 🤯
Really well done video. I think you should keep this series in this format. Personally I like the pacing of the video, and wouldn't want it slower, or faster.
This is super interesting, however there were some parts that I did not know what you were talking about - mainly the parts where you talk about the code itself, around 3 minutes. I have a focus on network and security, but my coding is very limited (python only, intermediate level). What do you recommend to learn/get familiar with for reverse engineering or to look at code and understand it?
Yea, so my recommendation is to get really familiar with C - especially pointer arithmetic etc. From there you have a good understanding on how memory etc works and can go into assembler itself much easier :)
A lot of Assembler can be attributed to C, especially the memory parts. Learn about C and then you will, at once, understand the memset functions and more
Thank you. Really enjoy and learn much from your videos.
Does Ghidra is best in reverse engineering or do you advise another tool/program?
It's a great one for sure, but does not yet have a debugger (though supposedly it'll be released soon).
There are lots of tools:
- Radare2 (and Cutter as its UI) - opensource & free
- Retdec decompiler - opensource & free
- IDA Pro + Hex-Rays decompiler (Expensive, a free version is available of IDA though) - de-facto industry standard
etc :)
I am very impressed with Ghidra for non x86/x64 stuff, so I like it so far! But as you can see in this video, the decompiler really isn't the best for x86/Windows
I don't know shit about coding, but you've explained this in a very human-readable way and i appreciate that.
Ghidra looks like an EXCELLENT tool to manage an RE session. Top notch.
what kind of machine is this youtuber? jesas fck this fast and accurate analysis makes my head xplode
Reported and removed, there is no room for stuff like this on here :)
@@stacksmashing and also not for the answer of that other random guy calling the guy in the already deleted comment a waste of Oxygen. not all People are capable of following this type of Content not even developers that are already programming for a very long time. i guess in this case calling you a "machine" is somewhat of a compliment although a rather dubious one.
@@urugulu1656 Did you see the comment that I was replying to. It had nothing to do with the video and was just an unprovoked attack on someone minding their own business.
@@stacksmashing what
you would NEVER make a good REV eng... your observation skills are poor...
1. Tool bar top (NOT windows), OSX or linux
2. Apple logo top left
3. APPLE finder logo left tool bar top
This is very interessting! Can't wait for part 2. Have discovered these malwares before, but fortunately it was on a computer with no important stuff on it. One question, are you really using mac osx or is this linux with mac os x skin ??
Nope this is macOS
it's macOS 2: electric boogaloo (system-wide dark theme included)
get your copy today and save 50% off the normal cost!
So the killswitch-URL in question was stored in plaintext in the program?
Why wasnt it encrypted?
Because not many people is an expert at coding.
@@Trimint123 but the creator of wannacry is dipshit
Why virus exe is in a plain code? No themida or vmprotect
Hi Ghidra Ninja,
Do you run Ghidra through a VM or directly from your main machine?
Both - untrusted binaries only in VMs, if I reverse for example self compiled binaries then I run it natively.
@@stacksmashing thank you.
"This is part 1"
*months later*
6 days ago part 2 was released
I’m trying to learn Ghidra and reverse engineering in general, and this and your other videos are so helpful.
The video is excellent, I understood most of it with some rudimentary background in programming. I would suggest that after you finish uploading all the videos running through the code, that you upload a 5-10 minute video with just a recap of what you learned and maybe a description of the overall workflow and your thoughts. I think that one would be a lot better for the rest of the 95% of watchers.
Parents: Install obvious virus that slows down the computer.
Parents: It must be that Steam thing.
hey, thanks dude! Probably speeding up the video was a good idea. I wish I could speed up Ghidra itself in a live session. I tried to open Microsoft's comctl32.dll in it and it took forever, and made it very sluggish afterwards.
Quick question -- how do you load symbols from the Microsoft server into it? (Like we used to do with windbg.)
@Ghidra Ninja. I'm currently studying X86_64 ASM, and I have started basic RE of GNU/Linux Apps.
I have both the Source Codes for WannaCry V1 & V2. I can't quite remember where I got them from, but I don't know if they're still out there. I keep them on an External HDD; For future Ref.
Awesome video man. Liked & Subbed.
How much time does it take to get on such level. As a total noob in programming its like watching magic
What's happening with the channel? I've been wating for one month to learn, yet no part 2
Very good video. Thanks for this video. That flowchart was helpful too. I have never seen reverse engineering in practice, this was very interesting. Very similar to debugging programs only here we don't have symbol information and have to create our own symbols, but it seems this Ghidhra tool makes things a lot convenient.
Whoever wrote this malware must have very good knowledge of Windows API, maybe even about Windows kernel.
Wow this is very impressive! Great job & keep going :)
Very nice video, thank you. I would definitely want to see more malware analysis with ghidra videos. :)
Well, I dont really understand well but Im here to understand it better, thanks for the video!
Edit: i actually managed to understand a part of it
imagine doing this and accidentally running wannacry. i would actually scream
**laughs in multiple VMs running in Arch Linux**
i use arch btw
@@watema3381 no one cares
@@bigbythebigbadwolf8612 aparently you do cause you replied!
also (incase you haven't noticed), it's an inside joke
@@watema3381 still no one cares
@@medo7dody ur prob crying behind ur screen: i dont care either but i gotta be an edgy loser so i can prove this guy wrong
So fast and accurate like a real ninja 😂, nice video , I didn't have to use speed 2 , like I usually do 😂
i wonder if wannacry author watched it :D
Nsa? Of course
@@jayzah It was made by North Korean cybercrime organization codenamed 'Lazarus'
It probally have more than 1 author
i dont know what you are saying but i think this is very great
I know I'm late, but did you use a virtual Machine to analyze the virus?
I didn't understand anything, but I would have loved to cause it seems like a very useful skill to have and props to you for being so good at it!
Hi ! Any chance you could provide the MD5 of the sample or re-upload ? The link is not working any longer . Thank you !
I do not know anything about coding. but what I gather is this malware has a means of creation on top of creation with a fail safe. but as far as this video goes it only touched on the random generated password that it must create and store, then send, and delete. Which is why some people say you can capture the password to unlock and decrypt everything in memory if you know where to look.
Can you please provide part 2 as well? I was following along the tutorial very well, and can't seem to find second part of this. Thank you!
One things that is not clear to me is what process happens first, and which one is responsible for the kill switch verification? Is mssecsvc.exe that does it, or it is the tasksche.exe? Different reports from different analysis say different things.
Great video! Thank you! When will part 2 be released?
I didn't understand single bit of information u said but I watched full video..and subscribed.. Thanks for making this video
I know it has been a year now, but the reason Ghidra was unable to parse InternetOpenA, HINTERENT etc as correct structs because it tried to look up the import dll on your mac, Wininet.dll, and its corresponding PDB, but it was unable to find either of it because you are on mac. If you are on windows ghidra would be able to parse them perfectly. How was it able to identify the function name is out of my mind lol.
How do you see that the block of code at the min 10:12 append /i to the tasksche path?
Great vid!! So what was happening with the memset? Why are they all in while loops? and how did you figure out that they are memset?
They were inlined and optimized by the compiler into that form and the ghidra decompiler didn't recognize the inlined/optimized form as being equivalent to the original function
I have no experience in malware reverse engineering, and my own programming experience is limited, so perhaps someone could answer this question for me:
After watching the interview about the killswitch, seeing the code and seeing how fairly visible the URL is, why was WNCRY such an issue? It seems anyone with a tiny bit of experience in reverse engineering could have found the killswitch with a bit of luck and/or quick thinking.
Maybe it’s like a puzzle. Where when you know the answer a puzzle that could have taken a long time to solve now takes less then a second too solve. The solution makes it look easy.
good so this means that we can uncrypt the files right?
where is part 2?
I have one question, do you know a good way to get into c, and asm, I really want to learn both of them, I understand the syntax of c, but I cant really find anything that covers everything beyond that
What key logger program you use? (I mean the thing what shows you the keys your pressed)
KeyCastr!
@@stacksmashing Thanks, I will use it in my next videos ;)
Reminds me when I reverse engineered a program that communicated with certain peripherals to try to understand how that obscure peripheral worked. No information online except for the program itself at hand.
Debugging and decompiling is so fucking hard, it's like backwards coding...
Great job!
Hey, I love watching reverse engineering videos! Thank you for this one. I'm glad that the UA-cam recommendation bots have blessed you.
Your skills are unbelievable. Good job 👏🏼
wait did i hear you right? The url in the entry function was a kill switch? The entire malware could have been defeated by disabling that url?
Not "could have", that's literally how they did it. A researcher found out a few days after the malware started infecting systems so he bought the domain and with the help of Google he hosted a server on that URL.
i'm ignorant as a goat about this, but i find this voice quite relaxing and soothing
Imagine how difficult this would have been if they had obfuscated their binary, adding thousands of false paths that don’t actually lead anywhere
Wow! How do you know all of this?
Were to start (After learning C)?
Thanks to solo learn the C++ and the python course I understand the basic functions. I just need to finish the modules for both and I'll be able to understand this a lot better
Are you going to do some more crackmes?
I managed to solve a couple but on some i am just purely stuck after finding what IF staments is the key to cracking it but cant get what i need to find the password.
Do you have some examples on crackmes where you are having issues with? Maybe I can do a video on them in the future
5c83501333c5d4776a837df7,5c9ce65c33c5d4419da5562d these are the crackmes i got stuck on,i managed to get ghidra to clear up the code,and when i find that IF statement or something else that points to the password i just dont know what next to do to actually get the password
This was super interesting. Please continue with this series
Keep up the amazing work you do with your videos!
that URL is actually the domain that Marcus Hutchins registered to stop WannaCry from spreading. Each time the ransomware worm spreads over a network, the virus pings that address. If the address is pinged and online, it will no longer spread.