WannaCry Analysis


Before analyzing this malware make sure you do these steps-

  • Use virtual machine for your analysis.
  • Don’t forget to take snapshot of your VM so that if something goes wrong, its state could be retrieved.


Service Creation.
  • EXTRACTING files from ‘R’
Resource Section-”R”
  • R
Resources Section of Tasksche.e


  • msg folder
  • b.wnry
  • c.wnry
  • r.wnry
  • s.wnry
  • t.wnry
  • u.wnry
  • taskdl.exe
  • taskse.exe
  • Uses “attrib +h” to hide the current working directory
  • attrib -allows an MS-DOS and Windows command line user to change the attribute of a file.
  • Uses “icacls . /grant Everyone: F /T /C /Q” to grants full access to files and folders.
  • icacls -allows changing access control lists for files and folders.


  • AES is used to encrypt the files with a symmetric AES-key and encrypted files are stored on the system with extension .WNCRY.
  • For each client a new pair of public and private key pair (RSA) is generated.
  • AES-key(client) is encrypted with newly generated RSA public key(client) which can be only be decrypted by client’s private key.
  • But client’s private is encrypted with server’s public key (Command and control server).
  • Client’s private key can only be decrypted by server’s private key or the master key(that the attacker holds) and in order to get server’s private key, pay the ransom.





Security Analyst @IBM https://www.linkedin.com/in/preet-kamal-b61385132/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

A quick OSINT investigation into a web site run by ID scammers

{UPDATE} ゲシュタルト崩壊 Hack Free Resources Generator

Coinbase continues to explore support for new digital assets

Privacy in the Digital Age

Basics for Information security

Last Week In Blockchain and CyberSecurity News — April 2, 2019

⭐️ PUMP IT UP: 130% more $NODL Crowdloan Bonus ⭐️

Windows High Privilege User Monitoring

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Preet kamal

Preet kamal

Security Analyst @IBM https://www.linkedin.com/in/preet-kamal-b61385132/

More from Medium

WiCYS CyberStart (Tokyo) Challenge 1

VulnHub: Empire: Breakout

Malicious Batch file Analysis

DoubleZero Malware: Behavioral Analysis