In this project, I built my personal malware analysis lab and tested it using WannaCry.
For this project, I decided to use two specialized environments for malware analysis: REMnux and FLARE VM.
- REMnux is a Linux distribution based on Ubuntu that includes a wide range of tools for reverse engineering, network artifact analysis, binary file investigation, and static analysis. It is well-suited for analyzing file formats, network packets, and reverse engineering.
- FLARE VM is a Windows-based virtual machine specifically designed for malware analysis. It comes with tools such as IDA Pro, Ghidra, x64dbg, and others used for code-level analysis and behavior research.
Both environments are run via VirtualBox.
Download the virtual appliance from the following link:
- Download the REMnux virtual appliance in OVA format.
- Import the OVA file into your preferred hypervisor.
- Enjoy!
Use the following links for downloading:
- Windows 10: Download Windows 10
- FLARE VM: FLARE VM on GitHub
- Create a new virtual machine with Windows 10 using the official ISO image.
- Disable Windows updates and antivirus software, including Windows Defender.
- Open a PowerShell prompt as an administrator.
- Download the installation script
install.ps1to your Desktop:(New-Object net.webclient).DownloadFile('https://raw.githubusercontent.com/mandiant/flare-vm/main/install.ps1',"$([Environment]::GetFolderPath('Desktop'))\install.ps1")
- Unblock the script:
Unblock-File .\install.ps1 - Set the execution policy to allow scripts:
Set-ExecutionPolicy Unrestricted -Force
- Run the installation:
.\install.ps1
- Wait for the installation to complete.
- After installation, set the virtual machine's network mode to host-only for enhanced security.
- Create a snapshot of the virtual machine for easy rollback if needed.
- Enjoy!
I chose WannaCry because of its historical significance, ongoing relevance in the cybersecurity community, and its easily accessible sample online. WannaCry is a ransomware that exploits the EternalBlue vulnerability (SMB protocol exploit, CVE-2017-0144) and includes a kill-switch mechanism that stops encryption when a specific DNS domain is reachable.
Opening PeStudio in FLARE VM reveals the SHA256 hash of the file. Searching for this hash on VirusTotal confirms that the file is classified as ransomware.
Opening the "Libraries" section in PeStudio provides insights into the dependencies WannaCry uses.
Here’s a breakdown of the most critical libraries WannaCry imports:
- KERNEL32.dll - Basic Windows API functions for memory, process, file, and thread management. Used for operations like
CreateFileandMoveFileExA. - ADVAPI32.dll - Used for security, registry modifications, and privilege management (
RegOpenKeyEx,AdjustTokenPrivileges). - WS2_32.dll - Provides networking functions (
socket,connect,send,recv). - MSVCP60.dll - C++ runtime library for handling strings and memory operations.
- iphlpapi.dll - Used to gather network adapter and IP address information (
GetAdaptersInfo,GetIpAddrTable). - WININET.dll - Manages HTTP/FTP connections (
InternetOpen,InternetConnect). - MSVCRT.dll - Standard C library functions like
malloc,free,fopen,fwrite.
By extracting strings from the executable, we can identify a key URL:
http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
This domain serves as the kill-switch for WannaCry. The ransomware checks if this domain is accessible before executing encryption. If it receives a response, it terminates execution. If the domain is unreachable, encryption proceeds.
Cybersecurity researcher Marcus Hutchins discovered this mechanism and registered the domain, effectively stopping WannaCry's spread.
It is believed that the domain check was included to detect if WannaCry was running inside a sandbox—a virtualized environment used for malware analysis.
- Sandboxes do not have real internet access but simulate it.
- WannaCry may have used the DNS query response to determine whether it was inside a sandbox.
- If a response was received, WannaCry would shut down, avoiding detection.
By registering the hardcoded domain, researchers tricked WannaCry into believing it was always inside a sandbox, causing it to terminate execution globally.
Using Detect It Easy (DIE), we analyzed the file's entropy to check for encryption or packing.
- Overall Entropy: 7.96426 (very high, indicating possible encryption or packing).
- Suspicious Sections:
.rsrcsection: Entropy 7.99523 (packed), suggesting encrypted payload storage..textsection: Entropy 6.13463 (normal for executable code)..datasection: Entropy 6.10033 (potentially obfuscated variables).
In this project, I conducted a static analysis of WannaCry, examining its dependencies, imported functions, and entropy levels. This helped identify:
- Key behaviors of the ransomware.
- The function of the kill-switch domain.
- Potential obfuscation and encryption techniques used.
However, dynamic analysis (observing real-time execution and network traffic) was not included in this project. For a more detailed dynamic analysis, refer to this excellent source:
WannaCry Ransomware - Dynamic Analysis
This resource provides an in-depth look at WannaCry’s network activity, system interactions, and behavioral patterns during execution.