Reversing WannaCry Part 2 - Diving into the malware with

Рет қаралды 234,002

4 жыл бұрын

In the second video of the "Reversing WannaCry" series we continue to dive into the malware and find some encrypted components and the first traces of the decryption & encryption functionality of the ransomware. We also learn how to use OOAnalyzer to easily reverse engineer C++ code in Ghidra!
Part 1: • Reversing WannaCry Par...
The scripts and Ghidra projects can be found here: github.com/ghidraninja/Revers...
Twitter: / ghidraninja
Links:
- OOAnalyzer: insights.sei.cmu.edu/sei_blog...
- My Ghidra Scripts: github.com/ghidraninja/ghidra...

Пікірлер: 219

@fedemancuello8905 4 жыл бұрын

With this guy's ability it wouldn't surprise me that part 3 ends with the malware creator tied to a chair and asking forgiveness. He's going serious with this. Absolutely awesome.

@navjot7397 4 жыл бұрын

This is a content that surely is not expected to go viral on YT, but is a treat to watch for people with some coding knowledge and curious minds, thanks for creating this!

@stacksmashing 4 жыл бұрын

Thanks a lot!

@navjot7397 4 жыл бұрын

@@stacksmashing welcome, eagerly waiting for next part(s)

@mateusmercer2280 4 жыл бұрын

The first video has 300k+ views, this one have a lot less (about 70% less). It's funny to see how complex subject videos tends to have this pattern. With 3Blue1Brown playlists this happens a lot.

@navjot7397 4 жыл бұрын

@@mateusmercer2280 i think ppl just binge watch first part and very few feel intrigued enough to watch second

@HarryTicke 3 ай бұрын

@@navjot7397 Shame, though. This part has the candy.

@februalist4686 4 жыл бұрын

top 10 unexpected sequels

@stacksmashing 4 жыл бұрын

Am I before or after Matrix 4 in that list? :D

@user-sf6sg4sn1l 4 жыл бұрын

@@stacksmashing Before Half-Life 3. That's for sure )

@masodiongaming97 4 жыл бұрын

plot twist: he created the virus and now he's just playing with us

@asaripatlineto7295 3 жыл бұрын

Plot twist 2: you created the virus, and you are playing with us

@ayaan5015 2 жыл бұрын

@@asaripatlineto7295 Plot twist 3: you created the virus, and you are playing with us

@Aryan-ji2nk 2 жыл бұрын

@@ayaan5015 Plot twist 4: You both created the virus and now you're spamming here

@Stein060 2 жыл бұрын

@@Aryan-ji2nk Plot twist 5: You all created the virus and now you're making me wanna cry with all these confusing comments *ba-dum-tss*

@SyutoMC 2 жыл бұрын

Plot twist 7 the guy who made it is in prison

@Aliosar22 4 жыл бұрын

Just got the first part recommended. These two videos taught me a lot about how to use Ghidra so keep up the great work. I also really like the flow diagrams you're drawing as they give a great overview. You got a new subscriber and I hope you'll upload more regularly now.

@aleksanderdzierzon6681 4 жыл бұрын

Imagine to be the creator of WannaCry and watching it

@alexremy5295 4 жыл бұрын

maybe it's you

@QS1597 4 жыл бұрын

Alex Rémy maybe it’s you

@phizlip 4 жыл бұрын

@@QS1597 maybe it's you

@nisseost1 4 жыл бұрын

@@phizlip Maybe it's you

@thedani4 4 жыл бұрын

Would it make him WannaCry?

@altro5067 4 жыл бұрын

Hell yeah! Been waiting for this since part 1

@skillfulfighter23 4 жыл бұрын

Love it! It's amazing how it's possible to turn compiled code back into regular uncompiled code.

@lxhon 4 жыл бұрын

Again: absolutely incredible work on your side. How great would it be if Ghidra/Cutter/Hopper could have all those repeated tasks automated or at least suggested, either through a pattern matching or an AI which is feed by all the reverse engineers around the world. Candidates are: The OOAnalyzer, function renaming, multiple sequential char arrays, byte cleanup, no-return hinting, struct imports for pointer constructs in decompilation, etc. I would definitely fund such a project!

@Wasabiofip 4 жыл бұрын

Fund it with your time - it's open source! ;)

@nitrogen9975 4 жыл бұрын

So glad you showed your research into this! Thank you for your time figuring out this puzzle. :)

@SonicD007 4 жыл бұрын

Thank you for creating this series, very helpful in learning to RE and everything is explained clearly.

@MinhNguyen-kv2mz 4 жыл бұрын

Long have we waited! Glad to have you back :)

@n3r0z3r0 4 жыл бұрын

Awesome! I remember doing same with IdaPRO in terminal. But back in my time the viruses has much simpler code :)Thanks !

@vladysmaximov6156 4 жыл бұрын

I dont see very much obfuscation on wannacry lol i remember a keygenme who was a lot more obfuscated and some techniques for frustrate reverse engineering analysis, im using ollydbg, remember some obfuscated strings with large algorithm on Statinko malware.

@kirdow 4 жыл бұрын

You just gained a like, as sub, and a bell notification user. I'm amazed how much you can understand from so few words on each line. Really good work bro :D

@AlmightyGauss 4 жыл бұрын

At last, I've been looking forward to this!

@sepehrmohaghegh2855 4 жыл бұрын

Part 3 should be very interesting!

@andrei-ioan535 4 жыл бұрын

This video is so interesting. I look forward to the next part. All the best

@lanceward7048 2 ай бұрын

This deserves a million more views, but so few proves how rare a talent you have for this content

@TU7OV 4 жыл бұрын

Glad you're back!

@anurag2877 4 жыл бұрын

finally , I've been waiting for this.

@OskaIvanovichSmirnov 4 жыл бұрын

After 2 rewind I'm still half-understood. But man this is really good for sleep when listening at night.

@idiyerbill1968 3 жыл бұрын

😂😂😂🤣🤣😂🤣

@IcedDoubleYT 15 күн бұрын

Agree this puts you to sleep if you have no programming knowledge

@Hacks00145 4 жыл бұрын

That's really nice and deep Looking forward for more series of videos ..

@mihaelpanjkrc7870 4 жыл бұрын

Dude finally!!

@pierrevevostudio5271 4 жыл бұрын

Can't wait for part 3 :)

@mrhidetf2 4 жыл бұрын

I hope you keep putting out content and that you ll find the time to do videos more frequently. Great Video!

@Backshopgolf 4 жыл бұрын

Great video! Very insightful! Post more like this!

@TheSailingDentist 4 жыл бұрын

Love your work.Please keep it going

@florianvandillen 4 жыл бұрын

Brilliant stuff!

@ywanhk9895 4 жыл бұрын

Finally some good reverse engineering videos, I understood everything Waiting for part 3 now

@snowcold903 4 жыл бұрын

was waiting for this video!!

@AureliusR 4 жыл бұрын

thank god part 2 came out!!

@robmorgan1214 4 жыл бұрын

Great video! Thanks sharing this!

@sdHansy 4 жыл бұрын

Nice, I had nothing to watch until this popped up. See you in part 1.

@blade1551431 4 жыл бұрын

hallelujah part 2 finaly

@christopherleubner6633 Ай бұрын

You should teach classes on this stuff. You break it down very well. ❤

@royals6413 4 жыл бұрын

Thanks for these videos

@btarg1 4 жыл бұрын

Can't wait for open source malware!

@Laflamablanca969 4 жыл бұрын

You are insane, keep them coming

@sinistergeek 4 жыл бұрын

Very imformative!! Keep it up!!

@budhachandrayumkhaibam6079 4 жыл бұрын

looking forward to part III

4 жыл бұрын

finally, that's why i subscribed to your channel

@thecowmilk4857 4 жыл бұрын

WannaCry dude was not from this planet......... Totally a Legend....!!

@RmFrZQ 4 жыл бұрын

Can you recommend any good books you read personally on the subject? I know it's a vast topic and I have a hard time to go deeper than reversing some entry level crackmes and making patches.

@anothersplinterinyourmind9043 4 жыл бұрын

Good videos bruh, i hope you keep it up

@thehyperdimentinaltraveller 4 жыл бұрын

I don't know why this is in my recommendation and didn't understood a single word you said. But I'm sure you're doing a great job at whatever you're doing 👍🏻

@pipony8939 4 жыл бұрын

*NSA* joined the chat

@tenzo4961 2 жыл бұрын

You have to admit, the inventor who made wannacry is an intelligent human being

@AdeeJa Жыл бұрын

This kind of malware is the work of a team, not a single person.

@ncg8224 Жыл бұрын

@@AdeeJa Inadvertently a intelligent group of people

@Vollex_ 4 жыл бұрын

Finally!!!

@respectedmastermind 4 жыл бұрын

Welcome back! :P

@xusheng9821 4 жыл бұрын

Nice work and video!

@szymoniak75 4 жыл бұрын

almost forgot about this series

@keisarimies 4 жыл бұрын

Waiting for part 3!

@drozcan 4 жыл бұрын

yeaaaa finally

@Alumx 11 ай бұрын

its 5am and i'm watching reverse engineering coding gameplay Lets fuckin goo 🔥🔥🔥

@mayuna_ 4 жыл бұрын

FINALLY

@jeremoisde9928 4 жыл бұрын

holy shit i want to learn it but you are highest level and i dont umderstand anything.

@andybrychenko 4 жыл бұрын

Super cool

@syrul6735 10 ай бұрын

hello, i want to ask how you get the CERT plugin in ghidra? not comming out for mine

@diynno742 2 жыл бұрын

Yesterday I got attacked by .ghas, from the djvu family and I was wondering if it can also be reverse engineered like that?

@h3xad3cimaldev61 4 жыл бұрын

I want to make a reverse engineering tool like Ghidra or a tool to view the assembly code of a program can someone help?

@hasangurbuz3454 5 ай бұрын

This guy is the real antivirus

@lunatic0x5 4 жыл бұрын

Hey man can you tell me the part where actual encryption take place

@begga9682 4 жыл бұрын

YES!

@EmperorGZT Жыл бұрын

such a classic

@user-lm4wq2po2m 4 жыл бұрын

very good！

@wdestroier 4 жыл бұрын

Waiting for part 3 next week or so

@TheErixcode 3 жыл бұрын

Bro this is the best analyses I saw , But please slow down the video little bit so we can follow xD

@amimox1950 3 жыл бұрын

nerding over 9001

@luizvaz 4 жыл бұрын

This means that the leaked keys are all equals?

@samsepiol6052 Жыл бұрын

I am following along with you, and I just want to know: how did you get ooanalyzer? Did you just use the docker file?

@stacksmashing Жыл бұрын

I believe at the time I used the docker image!

@samsepiol6052 Жыл бұрын

@@stacksmashing Thank you for your reply. Does using the docker image automatically make the "CERT" option appear?

@stacksmashing Жыл бұрын

Ah for Ghidra you need the plug-in :)

@samsepiol6052 Жыл бұрын

@@stacksmashing Thank you so much! It worked like a charm.

@danihidayat4012 4 жыл бұрын

man this is insane

@georgehammond867 3 жыл бұрын

what is the main language that Wannacry is written with? is it C or C+ !?

@androBughunter 2 жыл бұрын

cool. thanks 👍👍

@twobob 3 жыл бұрын

@shyonae 4 жыл бұрын

dude you are so fucking good at this

@estherowo 4 жыл бұрын

:) This is cool

@jnandeepdevsarma2966 4 жыл бұрын

you r grt

@thejswaroop5230 3 жыл бұрын

What abt those .onion addresses u got in part 1 ??

@Djmaxofficial 3 жыл бұрын

Wannacry 2.0 is on the way :D

@mathyscesaire3045 4 жыл бұрын

When will be the part.3 !!!

@nankipoo492 3 жыл бұрын

3:24: installing Pharos for C++ analysis - by using "docker pull seipharos/pharos" **One-Winged Angel** starts playing...

@WikiPeoples 3 жыл бұрын

Question: So far in Part 1 and Part 2 I don't think we've actually seen any "exploit" right? Just want to make sure I'm following along correctly. It appears its so far just been a bootstrap / setup process so far using Win32 APIs. All of which you'd need administrator privileges to run right?

@oriyadid 11 ай бұрын

I'm a bit late in answering this but it might be helpful to someone else wondering the same thing Yes, this isn't the exploit code, and you do need admin privileges for the code in parts 1 and 2 to work. This is because wannacry is typically invoked by the exploit, rather than by a user interaction. The actual exploit itself is probably mentioned in part 3, as it talks about how the malware spreads, but a short version is it's a zero-day in windows found by the NSA, which was leaked to the public by a group known as the "Shadow Brokers". As far as I remember windows patched the vulnerability before wannacry was created, but many machines which were not updated were still vulnerable.

@ujurak3899 4 жыл бұрын

0:39 isn't that check redundant since tasksche.exe was run with the /i argument?

@stacksmashing 4 жыл бұрын

No because it re-launches itself without the /i argument :)

@theojohanson 4 жыл бұрын

Heyo, very new to reverse engineering here, though i saw that some things that for example bitcoin adresses are shown while reverse engineering thanks to your video, can any person that's reverse engineering this just change that and then relaunch it? Or do most "hackers" that still use wannacry just launch it without changing anything? But I'm guessing it's not really active anymore and can't be used thanks to the killswitch?

@v380riMz 2 жыл бұрын

Ofcourse WannaCry still can be used, what’s cheaper, paying some hacker 350 usd in BTC or paying a company that charges you a couple of grand just to undo all the stuff, ofcourse they won’t tell you a killswitch is active

@reinko5194 3 жыл бұрын

Im not into coding or something like this so i dont know why this is getting recommended to me but in the start he said that WannaCry try to connect to a URL and if it succeed it does nothing, so if a computer is connected to the internet, why is it unable to connect to this URL?

@sbapkat8691 2 жыл бұрын

The URL was not Registered, so if you tried to access it nothing would be returned. It acts as a kill switch because someone can register this URL and make it active to stop the spread

@reinko5194 2 жыл бұрын

@@sbapkat8691 Thanks for the response, now it make sense to me.

@saeedmahmoodi7211 4 жыл бұрын

decompile windows for next project

@guap3228 7 ай бұрын

Complete noob here. Were the variables renamed to vague things like “param1” etc to intentionally mask what the code is doing?

@TheSailingDentist 4 жыл бұрын

Maybe you can show how 2 de-compile some djy drone firmware as education purpose or other advanced stuff.It would be interesting to see... :)

@McDonnerbogen 4 жыл бұрын

He'd be sued in no time

@Schtevs 4 жыл бұрын

Mac OS X ! Yay !

@crystalsheep1434 Жыл бұрын

Wow

@braaitongs Жыл бұрын

Now that we know how this works, is there a way to make your pc invulnerable to this malware?

@youtube_bat3811 Жыл бұрын

probably, but it would take a long time

@kingroliKR 4 жыл бұрын

continue please~1

@godfire6498 3 жыл бұрын

Why we don't create "wannalaugh.exe"?

@emmettturner9452 3 жыл бұрын

"tasksche.exe" is short for TaskScheduler so "task A dot ex uh" just sounds wrong. :)

@CristiNeagu 3 жыл бұрын

He's not saying "task A dot ex uh". He's pronouncing "tasksche" in German, which more or less sounds like "taske".

@emmettturner9452 3 жыл бұрын

@@CristiNeagu Yeah. IOW, "task-aye dot ex uh"

@nakul2569 3 жыл бұрын

How to get that CERT menubar in ghidra?

@stacksmashing 3 жыл бұрын

it’s part of the OOAnalayzer plugin

@nakul2569 3 жыл бұрын

@@stacksmashing I have spent the whole morning installing that plugin using this repo here github.com/cmu-sei/pharos/tree/master/tools/ooanalyzer/ghidra/OOAnalyzerPlugin but nothing works :( Btw your videos are life changing. Please continue to make more ghidra reverse engineering videos. Cheers!!

@jordanferraris5715 2 жыл бұрын

@@nakul2569 Were you ever able to get it? If not, now there is no actual ghidra tree in the pharos repo, it is now built into a new tool (sorta big combined tool) called Kaiju which has a bunch of Ghidra stuff including the OOanalyzer CERT tab on the menubar

@jofx4051 4 жыл бұрын

The maker of WannaCry should be wannacry now if they watch this

@notyoursurya 4 жыл бұрын

Can anyone help me out with installation process of OOAnalyzer please?

@stacksmashing 4 жыл бұрын

You will need the JDK and gradle to build it

@notyoursurya 4 жыл бұрын

Thank you @'Ghidra Ninja' . i do have both. Can you post a blog with complete guide to build OOAnalyzer and import it to ghidra, if you don't mind. Btw i am one of huge fan of your works. Thanks for replying❤