Faisal-x00/wannacry-static-malware-analysis

# Static Malware Analysis: WannaCry Initial Assessment ## Project Overview This project documents a basic static malware analysis of a WannaCry ransomware sample using PEStudio and command-line string searching. The goal of this project was to practice beginner-level malware analysis techniques in a safe, isolated lab environment. The analysis focused on identifying file metadata, suspicious imports, embedded resources, strings, and indicators of compromise without executing the malware. This project is for educational and cybersecurity learning purposes only. ## Analysis Scope This was a static analysis only. The malware sample was not executed. The analysis focused on: - File identification - SHA-256 hash collection - PE header and file metadata review - Suspicious import analysis - Resource section inspection - String extraction - IOC identification - Initial behavior assessment ## Lab Environment The analysis was performed in an isolated Windows virtual machine. ### Environment Details - Operating System: Windows 10 VM - Analysis Tool: PEStudio - Additional Tool: Windows Command Prompt - Analysis Type: Static analysis - Network Exposure: Not required for analysis - Malware Execution: Not performed ## Tools Used - PEStudio - Windows Command Prompt - `findstr` - Isolated Windows virtual machine ## File Identification The sample was identified as a Windows Portable Executable file. ### Observed File Details - File type: Windows executable - Architecture: 32-bit - Subsystem: GUI - File description: Microsoft Disk Defragmenter - Original file name: `lhdfrgui.exe` - SHA-256: 24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C ### Evidence  The PEStudio file overview shows the file hash, executable type, architecture, file size, entropy, subsystem, and version information. ## Suspicious Imports Analysis The imports section showed several Windows API functions that may indicate suspicious behavior. ### Notable Imported Functions | Category | Observed Imports | Possible Relevance | |---|---|---| | Service control | `OpenSCManagerA`, `CreateServiceA`, `StartServiceA`, `ChangeServiceConfig2A`, `RegisterServiceCtrlHandlerA` | May indicate service creation or persistence behavior | | Cryptography | `CryptGenRandom`, `CryptAcquireContextA` | May indicate encryption or cryptographic operations | | Networking | `send`, `recv`, `closesocket`, `ioctlsocket`, `WSAStartup` | May indicate network communication | | System execution | `CreateProcessA`, `GetModuleHandleA`, `GetStartupInfoA` | May indicate process creation or execution behavior | ### Evidence  The imports section shows service-control, cryptographic, and networking-related functions. These imports are consistent with behavior commonly seen in malware, such as persistence, encryption-related activity, and network communication. ## Resource Section Analysis The resource section contained executable-like data, which may indicate embedded components or additional payload-related content. ### Evidence  ## String Analysis A string search was performed using Command Prompt to identify suspicious URLs and readable indicators inside the binary. The following suspicious URL was found: http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com This domain is strongly associated with WannaCry analysis and is commonly known as the WannaCry kill-switch-style domain. Additional notable strings included: tasksche.exe Microsoft Enhanced Cryptographic Provider Microsoft Security Center CreateProcessA ### Evidence  The string search revealed the suspicious WannaCry-related URL and other strings related to cryptographic providers, service behavior, and process execution. ## Indicators of Compromise | Type | Value | |---|---| | SHA-256 | `24D004A104D4D54034DBCFFC2A4B19A11F39008A575AA614EA04703480B1022C` | | URL / Domain | `http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com` | | File name observed | `lhdfrgui.exe` | | Suspicious executable name | `tasksche.exe` | | File type | Windows 32-bit executable | ## Initial Behavior Assessment Based on the static indicators observed, the sample shows characteristics consistent with ransomware-style malware behavior. ### Key Observations - The file is a Windows 32-bit executable. - The version information attempts to appear as a Microsoft Disk Defragmenter component. - The imports include service-control functions, which may suggest persistence or service installation behavior. - The imports include cryptographic functions, which may suggest encryption-related behavior. - The imports include networking functions, which may suggest external communication. - The strings include a WannaCry-associated kill-switch-style URL. - The resource section contains executable-like content. ## Analyst Notes The sample was not executed. Therefore, the findings are based only on static analysis. Static analysis can identify suspicious indicators and possible behavior, but it does not fully confirm runtime behavior. A complete malware analysis would require additional controlled dynamic analysis, such as monitoring process activity, file system changes, registry changes, network traffic, and runtime behavior inside a properly isolated malware analysis lab. ## Safety Notice This repository does not contain malware samples or executable files. Only screenshots and analysis notes are included. Malware samples should never be uploaded to public repositories. ## Lessons Learned Through this project, I practiced: - Using PEStudio for initial malware triage - Collecting file metadata and hashes - Reviewing PE imports for suspicious API functions - Identifying suspicious strings and URLs - Recognizing service-control, cryptographic, and networking-related indicators - Creating a basic IOC table - Documenting static malware analysis findings safely ## Conclusion This project provided hands-on practice with beginner-level static malware analysis. PEStudio and command-line string searching were used to identify suspicious imports, metadata, embedded resources, and WannaCry-related indicators. The analysis showed multiple suspicious characteristics, including cryptographic imports, service-control imports, networking functions, and a WannaCry-associated kill-switch-style URL. While the sample was not executed, the static findings provide a useful initial assessment for malware triage and cybersecurity learning.