Didier Stevens

Tuesday 23 May 2017

WannaCry Simple File Analysis

Filed under: Malware,My Software,Reverse Engineering — Didier Stevens @ 7:32

In this video, I show how to get started with my tools and a WannaCry sample.

Tools: pecheck.py, zipdump.py, strings.py

Sample: 84c82835a5d21bbcf75a61706d8ab549

Sunday 21 May 2017

Update: zipdump.py Version 0.0.8

Filed under: My Software,Update — Didier Stevens @ 14:48

Added handling of zlib errors when performing a dictionary attack.

zipdump_v0_0_8.zip (https)
MD5: 51B971B57800D126B2067DC53303355A
SHA256: 095EE6000E99B9193C830B8BA11139907CB9445FD7D94D81E3F97A8B458D5D16

Saturday 20 May 2017

Update: zipdump.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 8:05

After adding support for password lists in zipdump, I decided to add an internal password list to zipdump, based on John’s public domain password list.

This internal password list (a few thousand passwords) can be used by providing filename . (a single dot) to options -P and –passwordfilestop.

zipdump_v0_0_7.zip (https)
MD5: 7B3D165B68B4E66D7EFCF54B25E08115
SHA256: DC794679CFDEA57AC532E11BC338F6823EECC26A36CB844B29EF15F93B6BA1C1

Thursday 18 May 2017

Update: re_search.py Version 0.0.7

Filed under: My Software,Update — Didier Stevens @ 0:00

This new version of re-search.py has a build-in regular expression for bitcoin addresses, together with a Python function to validate the address.

re-search_V0_0_7.zip (https)
MD5: 38EBBC6B45476AA2FB03DC9604D2F7EE
SHA256: 7BE3B986126C3E40A886A66A08EA360EEE01A29F064F2D3235A1311C4FB4E45E

Sunday 14 May 2017

Quickpost: WannaCry’s Mutex Is MsWinZonesCacheCounterMutexA0 (Digit Zero At The End)

Filed under: Malware,Quickpost — Didier Stevens @ 11:23

I’ve seen reports that WannaCry uses a mutex with name Global\MsWinZonesCacheCounterMutexA.

The samples I analyzed all use another mutex: Global\MsWinZonesCacheCounterMutexA0. That’s a digit zero at the end.

I have not found a sample that uses mutex Global\MsWinZonesCacheCounterMutexA (e.g. without digit zero at the end).

Update 1: I got confirmation from Costin Raiu from Kaspersky that the mutex is Global\MsWinZonesCacheCounterMutexA0.

Update 2: dynamic analysis with sample 84c82835a5d21bbcf75a61706d8ab549 shows that there are 2 mutexes that can prevent the ransoming of files: MsWinZonesCacheCounterMutexA and Global\MsWinZonesCacheCounterMutexA0. Remark that the Global namespace must be used with mutex MsWinZonesCacheCounterMutexA0, while it may not be used with mutex MsWinZonesCacheCounterMutexA.


Remark that the code above contains string “Global\\MsWinZonesCacheCounterMutexA”, but that is not the actual string used for OpenMutexA.

The actual string used for OpenMutexA is created by a sprintf “%s%d” call, and results in “Global\\MsWinZonesCacheCounterMutexA0“, that is “Global\\MsWinZonesCacheCounterMutexA” with a digit 0 (zero) appended.

Mutexes have long been used by malware authors to prevent more than one instance of the malware running on the same machine. An old anti-malware trick consists in the creation of a specific mutex, to prevent the execution of a specific malware.

I’ve seen tools and scripts published to create mutex Global\MsWinZonesCacheCounterMutexA to prevent WannaCry from infecting machines. This will not work for the samples I analyzed.

Samples I disassembled:

7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff (contained as a resource in 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec).

86721e64ffbd69aa6944b9672bcabb6d (contained as a resource in 5bef35496fcbdbe841c82f4d1ab8b7c2).

Samples I searched for containing the mutex and sprintf code:


If you have a sample that actually uses mutex Global\\MsWinZonesCacheCounterMutexA and not mutex Global\\MsWinZonesCacheCounterMutexA0 (e.g. with digit zero appended), please post a comment with the hash of your sample.


Quickpost info

Saturday 13 May 2017

Quickpost: WannaCry Killswitch Check Is Not Proxy Aware

Filed under: Malware,Quickpost — Didier Stevens @ 11:54

It looks like #WannaCry’s killswitch check (www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com) is not proxy aware:

Organizations that use proxies will not benefit from the killswitch.

Sample: 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec

I have not tested this in a VM. If someone has, please post a comment with your findings.

Update: I did test the sample, it is not proxy aware. In an environment with an HTTP proxy and no direct connections to the Internet, the sample can not connect to www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, and it will infect the host.

If I patch the sample to make it proxy aware, it can connect to the site through the proxy, and it does not infect the host.

Quickpost info

Update: re_search.py Version 0.0.5

Filed under: My Software,Update — Didier Stevens @ 10:41

When I used my re-search.py tool to extract Bitcoin addresses from the latest WCry samples, I found a small bug. This version is a bugfix (bug introduced in version 0.0.4).

re-search_V0_0_5.zip (https)
MD5: A03CBBA9F2C5900A368BC064D3CC3D00
SHA256: 940B12CA8E3ADCC0266BC788B5A7AE2C830115BDB9FC04C3A7A178FDD7D44F02

Friday 12 May 2017

Quickpost: ZIP Password Cracking With John The Ripper

Filed under: Encryption,Quickpost — Didier Stevens @ 0:00

Here is how to crack a ZIP password with John the Ripper on Windows:

First you generate the hash with zip2john:

Then you run john:

In this example, I use a specific pot file (the cracked password list).


Quickpost info

Thursday 11 May 2017

Crack A ZIP Password, And Fly To Dubai …

Filed under: My Software,Update — Didier Stevens @ 0:00

We had to crack a password protected ZIP file, to discover that just few hours later, we would fly to Dubai for our NVISO team building event.

This inspired me to update my zipdump.py tool. This tool can handle password protected ZIP files. Using default password “infected”, or a password that can be provided with option -p.

In this new version, you can provide a list of password in a text file using option -P. Turns out that this simple dictionary attack just using Python is surprisingly quick (at least to me): 8000 passwords per second on an average machine.



zipdump_v0_0_6.zip (https)
MD5: B605DEABFC5458488B6487B1E9104085
SHA256: DDC2CE94D250CBDE62AD1EBE650654E4A50C51F97CADF412B16A553242819772

Tuesday 9 May 2017

Quickpost: Internet Zone IDs

Filed under: Quickpost — Didier Stevens @ 0:00

Mostly as a reminder for myself, here are the Internet Zone IDs (taken from HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones on a Windows 8.1 machine, there is also a HKLM entry) as used in the Zone.Identifier ADS:

Zone ID Displayname Description
0 Computer Your computer
1 Local intranet This zone contains all Web sites that are on your organization’s intranet.
2 Trusted sites This zone contains Web sites that you trust not to damage your computer or data.
3 Internet This zone contains all Web sites you haven’t placed in other zones
4 Restricted sites This zone contains Web sites that could potentially damage your computer or data.

Quickpost info

Next Page »

Blog at WordPress.com.