Unknown
Name: Ransomware.wannahusky.exe.malz
Hashes
MD5: 0287b38f8240a025b30c0a231ea403fc
SHA1: 691ac1b4b7b494f7b56eff0b48ba3e31a14e0d7d
SHA256: 3d35cebcf40705c23124fdc4656a7f400a316b8e96f1f9e0c187e82a9d17dca3VirusTotal
On VirusTotal It is flagged it as trojan by 44 engines out of 72.
Strings
Floss highlights some interesting strings in binary
@cannot write to stream
@tree C:\
@Desktop\ps1.ps1
@powershell
@Desktop\ps1.ps1
@$code = @'
using System.Runtime.InteropServices;
namespace Win32{
public class Wallpaper{
[DllImport("user32.dll", CharSet=CharSet.Auto)]
static extern int SystemParametersInfo (int uAction , int uParam , string lpvParam , int fuWinIni) ;
public static void SetWallpaper(string thePath){
SystemParametersInfo(20,0,thePath,3);
}
}
add-type $code
$currDir = Get-Location
$wallpaper = ".\WANNAHUSKY.PNG"
$fullpath = Join-Path -path $currDir -ChildPath $wallpaper
[Win32.Wallpaper]::SetWallpaper($fullpath)
@Desktop\WANNAHUSKY.png
IHDR
sRGB@encode__npLRSgmGJDNX8bfurW5iRw@12
stdlib_base64.nim.c
@burnMem__4FZHyz34TGxTmMy6XY9cOSg@8
@m..@s..@s..@s..@s..@s.nimble@spkgs@snimcrypto-0.5.4@snimcrypto@sutils.nim.c
@digest__CXo4xdrVR0UXF9aOcb9aJFYg@8
@m..@s..@s..@s..@s..@s.nimble@spkgs@snimcrypto-0.5.4@snimcrypto@shash.nim.c
_nimAddInt.constprop.0
@sha256Transform__BJNBQtWr9bJwzqbyfKXd38Q@12
@finish__x70ALeeaQ1ry9a63hdOCQWA@4
@m..@s..@s..@s..@s..@s.nimble@spkgs@snimcrypto-0.5.4@snimcrypto@ssha2.nim.c
_ortho__tEkTGAwQ2Ju9b64CfcPFjKgrijndael
@bitsliceSbox__td6AIXVem9adJuhtvam1mYA@4
@subWord__eIyaZ4Ej9atGVh4yLO6rJVQ@4
@keySchedule__atoyT3nOrMuAmdOTI4mO5g@12
@encrypt__py6wg79aBw8iTzUm11Z7JOA@20
@m..@s..@s..@s..@s..@s.nimble@spkgs@snimcrypto-0.5.4@snimcrypto@srijndael.nim.c
@init__QeKCvRTxwnkv4EgDHKgXYA@20
_TM__40YfnbOcmramUFyaunCxCg_2
_TM__40YfnbOcmramUFyaunCxCg_3
@inc128__vRz5m42fv3XKwSYgATX55Q@8
@inc256__vRz5m42fv3XKwSYgATX55Q_2@8Which highlights nim is in use and a file on Desktop with name WANNAHUSKY.PNG
Using PE-Stdio we can identify its 32 bit executable and hints at process injection
Comparing raw size and virtual size we can conclude that malware is not packed.
Intial Running
In initial detonation without internet, it ran cmd and tree command
It runs a powershell script from users desktop
and it updates the como image and drop a file.
Last updated