WannaCry Analysis

Preet kamal
5 min readDec 5, 2019



Wannacry - A ransomware cryptoworm which affected more than 200,000 computers across 150 countries by encrypting data and demanding ransom payments in Bitcoin cryptocurrency. It spreads through network by exploiting a vulnerability in SMB(Server Message Block) protocol, MS17–010.

Before analyzing this malware make sure you do these steps-

  • Use virtual machine for your analysis.
  • Don’t forget to take snapshot of your VM so that if something goes wrong, its state could be retrieved.



File Info-PE32 executable (GUI) Intel 80386, for MS Windows



Initially, the malware tries to connect to a domain, i.e http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com If the connection is successful, the malware exits, but now this domain has been sinkholed by security researchers to act as a kill switch and to minimize the infection and spreading of it.


If the connection is not successful, it creates a service “Microsoft Security Center (2.0) Service” as “mssecsvc2.0

Md5 Hash-db349b97c37d22f5ea1d1841e3c89eb4

Service Creation.

Analyzing the malware with PeStudio shows the resource section named ‘R’ is executable which means the resource section may contain another file.

  • EXTRACTING files from ‘R’

Usage of FindResourceA, LoadResource, LockResource and SizeofResource implies loading the resource section and accessing the data inside it.

Resource Section-”R”

The malware writes data to tasksche.exe form its resource section named “R” and then copy it to C:\Windows\tasksche.exe and use MoveFileExA to copy it as C:\Windows\qeriuwjhrf.

  • R
Resources Section of Tasksche.e

Its Resource section also looks suspicious as it contains a file “XIA” with PK signature which implies it is a zip file that the malware extracts using the password “WNcry@2ol7”.


The files that are dropped from XIA resource section are -

  • msg folder

This folder contains ransom note in different languages.

  • b.wnry

Md5 Hash-c17170262312f3be7027bc2ca825bf0c

A bitmap file that displays a message as shown above.

  • c.wnry


It contains tor browser configuration and .onion domains listed below mainly for bitcoin transactions.






and uses https://dist.torproject.org/torbrowser/6.5.1/tor-win32- to download tor browser.

These are the bitcoin wallets that the attacker wants to receive the ransom.




One of the wallet is shown in the screenshot.

  • r.wnry


This file conatins instructions to be displayed to the user.

  • s.wnry

Md5 Hash-ad4c9de7c8c40813f200ba1c2fa33083

It also contains a zip file (PK signature) which has a tor executable in it.

  • t.wnry

Md5 Hash-5dcaac857e695a65f5c3ef1441a73a8f

It is a file with a wannacry signature and works as an encryption tool.

  • u.wnry

Md5 Hash-7bf2b57f2a205768755c07f238fb32cc

It is the decryption tool.

  • taskdl.exe

Md5 Hash-4fef5e34143e646dbf9907c4374276f5

It is executed every 30 seconds and is a support tool for removing temporary files.

  • taskse.exe

Launches the decryption tool.

The malware changes the attributes of the files after dropping them.

  • Uses “attrib +h” to hide the current working directory
  • attrib -allows an MS-DOS and Windows command line user to change the attribute of a file.
  • Uses “icacls . /grant Everyone: F /T /C /Q” to grants full access to files and folders.
  • icacls -allows changing access control lists for files and folders.

It encrypts the files with following extension.

Each time a file is encrypted, its extension changes to .WNRY


It uses the Microsoft Enhanced RSA and AES Cryptographic Provider libraries to perform the encryption.

  • AES is used to encrypt the files with a symmetric AES-key and encrypted files are stored on the system with extension .WNCRY.
  • For each client a new pair of public and private key pair (RSA) is generated.
  • AES-key(client) is encrypted with newly generated RSA public key(client) which can be only be decrypted by client’s private key.
  • But client’s private is encrypted with server’s public key (Command and control server).
  • Client’s private key can only be decrypted by server’s private key or the master key(that the attacker holds) and in order to get server’s private key, pay the ransom.

When the AES-key is encrypted with the RSA public key, encrypted file’s path is written to f.wnry


00000000.pky- Client’s Public key.


00000000.eky- Client’s Private key encrypted with server’s(attacker’s) or embedded public key.


For decryption, user needs the master key(server’s private key) which can be obtained by paying a ransom which get doubled if the first timer expires .


Ida Pro, x64dbg, PEStudio, Resource Hacker, Win Hex, Windows Network Monitor, Process Monitor.