5

I was reading an article today about a Google researcher linking the WannaCry malware to the earlier malware Cantopee.

I had two primary questions based on the contents of the article.

  1. What do the numbers/addresses represent in this image?

    Screenshot of tweet.

  2. Can someone explain to me what is going on here? Which tools are they using, and how would I do this myself?

    Screenshot of programms displaying assembly code.

Anders
  • 64,406
  • 24
  • 178
  • 215
mdo123
  • 153
  • 3
  • The first screenshot looks very badly, I suggest to remove it from the question to get a better start on the site. – peterh May 17 '17 at 04:17

1 Answers1

8

Check out reverseengineering.SE for all your RE questions.

The name of the tool being used is Hiew.

From WannaCry — Links to Lazarus Group:

software crypto hashes

Some code in WannaCry (9c7c7149387a1c79679a87dd1ba755bc) beginning at address 0x402560 is the same as some code in Contopee (ac21c8ad899727137c4b94458d7aa8d8) beginning at address 0x10004ba0. Same story for the next pair of addresses. In essence, both pieces of software share code.

This is what is depicted in picture 2 in the question, it is just a little hard to see. A bigger picture can be found in Dan Goodin's article Virulent WCry ransomware worm may have North Korea’s fingerprints on it (click to enlarge):

Arstechnica Hiew disassembly

julian
  • 1,269
  • 1
  • 8
  • 15