Course Final: Practical Malware and Triage (Wannahusky Ransomware)
Author’s note:
now, y’all might be wondering why a malware analysis post in an OSINT focused blog? This post serves as a turning point for this blog as I intend to use this blog outside of OSINT. No worries, the OSINT content will be there but if I want to do anything outside of the OSINT category, I’m just going to put it here due to the ease of maintaining the blog. I do have another blog (https://finxlogs.blogspot.com/) but I haven’t maintain it for so long so as of now, that blog’s dead. That’s all that I need to cover, back to the report…..
The detail of the final:
Basically, I need to do a triage report and Yara rules for any sample in this course. I choose to write the report + yara rules here since this is my main medium when it comes to blogging stuff. So, let’s jump on the report
Sample: Ransomware.wannahusky.exe (Wannahusky Ransomware)
Tables of content
- Executive Summary
- High-Level Technical Summary
- Malware Composition
- Basic Static Analysis
- Basic Dynamic Analysis
- Advanced Static Analysis
- Advanced Dynamic Analysis
- Indicator of Compromise
- Rules & Signatures
Executive Summary
[SHA256 hash: 3d35cebcf40705c23124fdc4656a7f400a316b8e96f1f9e0c187e82a9d17dca3]
Wannahusky Ransomware is a 32 bit nim-compiled ransomware provided in the Practical Malware Analysis and Trial course. This application locked cosmo.jpeg to cosmo.WANNAHUSKY, run ps1.ps1 powershell script and the command “tree C:/”
High Level Technical Summary
Malware Composition
- Ransomware.wannahusky.exe [SHA256 hash: 3d35cebcf40705c23124fdc4656a7f400a316b8e96f1f9e0c187e82a9d17dca3]
The initial executable that locks cosmo.jpeg after it’s detonation.
- WANNAHUSKY.png [SHA256 hash: unknown]
The ransom note that inform the victim that the picture of cosmo has been locked, if the victim want to recover the picture, they need to pay the ransom of 100 HuskyCoins before the adversary delete the cosmo file in 24 hours.
- ps1.ps1 [SHA256 sum: unknown]
A powershell script file that pops out and delete itself from the victim’s device.
Basic Static Analysis
- VirusTotal scan result
Result: 35 vendor flagged it malicious
In the string filter, there are multiple important indicators gathered in the process. They are:
- Indicator that the ransomware packaged by nim
- The presence of WANNAHUSKY.png and the cosmo.WANNAHUSKY
- The presence of a powershell script called ps1.ps1
Basic Dynamic Analysis
After detonate the malware, here are the behaviors observed in this phase:
- The pressence of WANNAWHUSKY.png, cosmo.WANNAHUSKY and ps1.ps1 on the device
2) A command line session trying to run ps1.ps1 and tree C:/ (in my system, the ps1.ps1 file cannot be run due to some system error)
Here are the details regarding the attempt to run ps1 script and the “tree C:/” command captured:
3) The ps1.ps1 file gets deleted from the device entirely
Advanced Static Analysis
The cutter output gets too complicated to decipher the flow of the program.
Advanced Dynamic Analysis
After the fourth debug run of the application, the application stuck at the entry point (same as the third debug run). I did try to analyze in the middle between the third debug run and the fourth but no avail.
Indicator of Compromise
- Host indicators
- ps1.ps1
- WANNAHUSKY.png ransom note
- the cmd session to run ps1.ps1 and “tree C:/”
- Network indicators
Not available since this application does not perform any connection to any domain
Rules & Signatures
This is the YARA rule for this application:
rule wannahusky_ransomware {
meta:
last_updated = "2023-03-23"
author = "finx"
description = "YARA rule to detect Wannahusky Ransomware"
strings:
// Fill out identifying strings and other criteria
$PE_magic_byte = "MZ"
$string1 = "nim" ascii
$string2 = "WANNAHUSKY.png" ascii
$string3 = "cosmo.WANNAHUSKY" ascii
$string4 = "ps1.ps1" ascii
condition:
// Fill out the conditions that must be met to identify the binary
$PE_magic_byte at 0 and
all of them
}
