Posts

Showing posts from May, 2017

DoublePulsar Backdoor

Image
This post explains DoublePulsar Backdoor and how WannaCry Ransomware uses it to spread Itself. EternalBlue Installing DoublePulasr Backdoor EternalBlue exploits vulnerability in SMB protocol and execute shell code.Offset of shell code in EternalBlue binary that is present in shadow broker dump. Shellcode finds address of srv.sys (SMB Driver) and replace address of srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with its own function address as shown below. Offset of function code in EternalBlue binary which replaces srv!SrvTransactionNotImplemented function address in srv!SrvTransaction2DispatchTable . Before overwriting srv!SrvTransactionNotImplemented function in srv!SrvTransaction2DispatchTable with  its own function address shell code allocates memory using ExAllocatePool API and write function bytes. Function code is stored at 0x48 offset from memory address re

WannaCry Encryption Flow

Image
Encryption Flow Generating RSA Key pair Sample generates RSA public and private key pair and export them to disk. Public RSA key is written in file 00000000.pky and private RSA key is encrypted with another public RSA key embedded in malware binary and written to file 00000000.eky . Embedded Public RSA key in sample used to encrypt generated private RSA key. File Enumeration Enumerate Files in a Directory using Windows API’s FindFirstFile and FindNextFile . Before encrypting file in a directory, malware checks for list of directories and files to be excluded. Directories to Exclude File Extensions to Exclude Exclude Files Dropped by Malware File Types to Encrypt File types to be encrypted is present as hard coded list in malware binary.