Category Archives: Tech/Nerd Blog

This is to share IT/Security crap with people..

If you’ve found yourself or others infected by the BTCware ransomware, the public decryption key was recently made public. You’re welcome.

WannaKEY, a decryptor for WANNACRY

HERE is the new tool to help you decrypt your files. If you’ve been hit by the new WannaCRY ransomware… I, personally, have not had the chance to test it as of yet. See below for further information..

From the GIThub page:

WARNING

This software has only been tested and known to work under Windows XP, 7 x86, 2003, Vista and Windows Server 2008 (tests by @msuiche).

Please also note that you need some luck for this to work (see below), and so it might not work in every case!

v0.2

• The generated private RSA key had invalid computed fields, which made the key not importable with CryptImportKey under Windows XP (fixed). wanafork and/or wanadecrypt can now be used directly from XP.
• Updated the binary with this fix and a static build (no need for the MSVC runtime anymore)

v0.1

• Original version

Introduction

This software allows to recover the prime numbers of the RSA private key that are used by Wanacry.

It does so by searching for them in the wcry.exe process. This is the process that generates the RSA private key. The main issue is that the CryptDestroyKey and CryptReleaseContext does not erase the prime numbers from memory before freeing the associated memory.

This is not really a mistake from the ransomware authors, as they properly use the Windows Crypto API. Indeed, for what I’ve tested, under Windows 10, CryptReleaseContext does cleanup the memory (and so this recovery technique won’t work). It can work under Windows XP because, in this version, CryptReleaseContext does not do the cleanup. Moreover, MSDN states this, for this function : “After this function is called, the released CSP handle is no longer valid. This function does not destroy key containers or key pairs.”. So, it seems that there are no clean and cross-platform ways under Windows to clean this memory.

If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory.

That’s what this software tries to achieve.

Usage

You can use the binary in the bin/ folder. You first need to find the PID of the wcry.exe process using the Task Manager, and locate the 00000000.pky file.

Once you’ve got this, launch using cmd.exe:

> search_primes.exe PID path\to\00000000.pky


If a valid prime is found in memory, the priv.key file will be generated in the current directory.

You can then use https://github.com/odzhan/wanafork/ or https://github.com/gentilkiwi/wanadecrypt to decrypt your files! (working on XP!)

Compile from source

You can use Visual Studio 2015 express to compile the associated project. Be sure to select the compatible Windows XP toolchain in the project properties!

Credits

• @wiskitki who spotted the CryptReleaseContext issue with Windows 10 (which actually wipe the primes in memory).
• @hackerfantastic for releasing the sample I used
• Miasm (https://github.com/cea-sec/miasm) for its help extracting the DLL and reversing the whole thing
• Wine sources for the Windows RSA private key format.

NMAP script to check for WANNACRY vulnerability

As we all know, WANNACRY has been detrimental to the industry as a whole. If you use SMB in your environment, you may want to use this nifty NMAP script to scan your environment to assess your vulnerabilities.. Be safe, folks.

How-to use BINSNITCH, post-infection

HERE we have a how-to on using BINSNITCH. It runs on Python and can detect what files on your systems have been touched by malware. I have yet to use it, but would imagine it to be quite helpful.

Semi-Classified EPICHERO exploit

HERE you can read a write-up on the NSA developed EPICHERO hack. This deals with AVAYA call server platform, a well-known and highly utilized VOIP server across the world. This is going to get pretty messy.

(Ab)Using Facebook Accessibility for Open Source Intelligence

Here is a good write-up on something most end-users don’t think of. Facebook’s AI/Face recognition software working behind the scene on all of your photos.. Have a Look.

Testing

This is a static test page for posts.