Monday, February 16, 2026

WannaCry — Campaign Intelligence, Reverse Engineering, and Detection

During 2017, WannaCry became a national headline for the United Kingdom and many other nations targeting companies, such as FedEx, Honda, Nissan, and the National Health Service (NHS) in the United Kingdom [1]. A Ransomware and Cryptoworm, that utilized the ETERNABLUE exploit and the DOUBLEPULSAR backdoor to propagate across unpatched Microsoft Windows systems is the centre of this article. 

The post is broken down into the following areas:
  • Threat Intelligence - A Diamond Model mapping, a campaign timeline, and, impact assessment of WannaCry
  • Basic Static Analysis - Conducting fingerprinting of the application and the subsequent mapping of the binary to MITRE ATT&CK and the Malware Behaviour Catalogue
  • Basic Dynamic Analysis - Initial detonation with and without networking
  • Advanced Static Analysis - A reverse engineering of the binary
  • Advanced Dynamic Analysis - A further dynamic test reviewing new findings based on the work of the Advanced Static Analysis section
  • Indicators of Compromise - A comprehensive list of Indicators-of-Compromise
  • Malware Behaviour Catalogue - Categorising the WannaCry malware against the MBC catalogue
  • Classification - The classification of the malware based on the Computer Antivirus Research Organization (CARO) malware naming scheme
  • Defender Recommendations - Recommendations for a proactive and reactive approach to WannaCry, with example YARA rules
  • Conclusion - A wrap up of the findings
  • References - A collection of URL references and their usage in the work

Threat Intelligence

The following breaks down the threat profile of WannaCry, firstly, providing a Diamond Model mapping, a campaign timeline that looks at the pre-attack, attack, aftermath, financial, and attribution/legal components of the campaign, and, closing with an impact assessment.

Diamond Model

The table below provides a breakdown of each core components of WannaCry.

Category Data Point(s)
Adversary  The United States of America and the United Kingdom attribute these attacks to North Korea and the Lazarus Group [2] [3]
Infrastructure  Killswitch Domain: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea
Tor C2 Domains: 
gx7ekbenv2riucmf[.]onion
57g7spgrzlojinas[.]onion
xxlvbrloxvriy2c5[.]onion
76jdd2ir2embyv47[.]onion
cwwnhwhlz52maqm7[.]onion
Victim  The victim list is broad, however, for the United Kingdom, Manufacturing, Government, Healthcare, and Logistics were most prevalent
Capability The ETERNALBLUE [4] and DOUBLEPULSAR [5], along with the Ransomware were the core capabilities in the attack

This relationships of data can be illustrated within the Diamond Model as follows:

Diamond Model
Figure 1: Diamond Model

Campaign Timeline

The following timeline provides a high-level view of the WannaCry campaign from the initial vulnerability disclosure through to the withdrawal of cryptocurrency from the three identified Bitcoin wallets. All times are presented in UTC where available.

Researchers Note: There is a discrepancy across sources regarding the exact time of the first infection on 12 May 2017. Some sources cite 07:24 UTC (converted from 3:24 AM EDT), whilst others reference 07:44 UTC based on Asian telemetry. Both are included below.


Pre-Attack


Date Event
2016-08-13 The Shadow Brokers emerge publicly, announcing stolen NSA Equation Group tooling via Twitter and GitHub [6].
2017-02 (approx.) An early variant of WannaCry (version 1.0) appears in a limited number of targeted attacks. This version does not use ETERNALBLUE, instead relying on compromised credentials to propagate through networks [7].
2017-03-14 Microsoft releases security bulletin MS17-010, patching the SMBv1 vulnerability across all supported Windows versions from Vista through Server 2016 [8].
2017-04-14 The Shadow Brokers release the Lost in Translation dump, containing ETERNALBLUE, DOUBLEPULSAR, and several other NSA exploits [9].
2017-04-21 to 2017-04-25 Thousands of systems already compromised with DOUBLEPULSAR, growing to hundreds of thousands by 25 April [10] [11].
2017-05-05 The Spanish CERTSI (Computer Emergency Response Team for Security and Industry) publishes an early warning bulletin citing WannaCry ransomware attacks [12].
2017-05-05 Reports of the attack began circulating on Twitter, specifically, Spanish companies [12].


Attack Day - 12 May 2017


Time (UTC) Event
~07:24 First WannaCry 2.0 infections recorded in Europe (reported as 3:24 AM EDT by multiple sources). [10]
~07:44 Evidence of initial infection in Asia. The worm begins propagating via ETERNALBLUE over SMBv1 port 445, scanning both local network ranges and random public IP addresses [10].
~11:00 Reports begin circulating on Twitter. The first named organisations are Spanish companies, including Telefónica, Vodafone, and Banco Bilbao Vizcaya Argentaria [12].
15:03 Marcus Hutchins (MalwareTech) registers the killswitch domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com, halting propagation for samples that successfully resolve the domain before executing [13] [14].
16:00 NHS England declares cyber attack a major incident [15]


Immediate Aftermath - 13 to 22 May 2017


Date Event
2017-05-13 Microsoft releases emergency out-of-band patches for unsupported operating systems, including Windows XP, Windows 8, and Server 2003 [10]. The three hardcoded Bitcoin wallet addresses are publicly identified:
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
2017-05-14 WannaCry variants without the killswitch begin appearing. US-CERT publishes Alert TA17-132A with indicators and YARA rules [16].
2017-05-15 The attack count exceeds 200,000 systems across 150+ countries. The three wallets have received approximately 151 transactions totalling ~24.76 BTC (~$42,641 USD) [12].
2017-05-18 Payments slow significantly. 271 transactions totalling ~44.16 BTC (~$79,711 USD) across the three wallets, with fewer than 10 payments over $200 in 24 hours [17].
2017-05-19 Hackers try to DDoS the killswitch domain using a Mirai botnet variant and begin to work on a new version of WannaCry [8].
2017-05-22 Hutchins improves the DDoS resilience of the killswitch domain. Independently, researchers from University College London and Boston University publish a method to recover WannaCry encryption keys, later automated as the WannaKey tool [8].


Financial - Wallet Activity & Withdrawal

By 14 June 2017, a total of 327 payments had accumulated across the three wallets, totalling approximately 51.63 BTC (~$130,635 USD at the time). The wallets then sat dormant for roughly 10 weeks.

Date / Time (UTC) Event
2017-08-03, ~03:06 The first outgoing transaction is recorded on the blockchain, moving 8.73 BTC from the WannaCry wallets. Between 03:00 and 03:30 UTC, all three wallets are emptied through six transactions completed within approximately 15 minutes. [18]
2017-08-03, 07:08 The first transaction hits Changelly, a cryptocurrency exchange with no email registration requirement. This is a 0.1 BTC transaction, likely a test before the bulk conversions. [18]
2017-08-03, 07:44 to 09:53 Eight transactions move approximately 13.53 BTC through ShapeShift, converting BTC to Monero (XMR). Separately, approximately 38.33 BTC are routed through Changelly. The total conversion yields approximately 820.80 XMR via ShapeShift, plus an unknown quantity via Changelly. The use of Monero is significant as it is a privacy-focused cryptocurrency that hides both ends of a transaction and the amount transferred. [18] [19]
2017-08-03 (afternoon) ShapeShift confirms the WannaCry attackers used their service in breach of their terms, blacklists the associated addresses, and begins cooperating with law enforcement. Changelly confirms approximately 5.2 BTC moved through their exchange and begins cooperating with Europol. [20]
2017-08-17 The Monero holdings are consolidated in three transactions on ShapeShift.[19]
2017-11-02 Approximately 536 XMR is exchanged to Bitcoin Cash (BCH) on ShapeShift across nine transactions, completing the chain-hopping laundering cycle: BTC → XMR → BCH. [19]

Of note, the chain-hopping approach used here is a technique referred to in cryptocurrency forensics as converting funds through a privacy-focused cryptocurrency to break the transaction trail. The BTC to Monero conversion through ShapeShift and Changelly, followed by a later conversion from Monero to Bitcoin Cash, demonstrates a deliberate laundering workflow designed to complicate blockchain analysis for investigators.


Attribution & Legal


Date Event
2017-12-19 The United States and United Kingdom publicly attribute WannaCry to North Korea. White House Homeland Security Advisor Tom Bossert formally names North Korea in a Wall Street Journal op-ed [2] [3].
2018-09-06 The U.S. Department of Justice unseals a criminal complaint charging Park Jin Hyok, a North Korean programmer working for Chosun Expo Joint Venture (affiliated with Lab 110, a component of DPRK military intelligence). The complaint connects Park to the Lazarus Group and names him as a conspirator in WannaCry, the 2014 Sony Pictures attack, and the 2016 Bangladesh Bank SWIFT heist. The U.S. Treasury simultaneously sanctions Park and Chosun Expo [21].
2021-02-17 The DOJ expands the indictment, adding two further Lazarus Group members, Jon Chang Hyok and Kim Il, both members of the Reconnaissance General Bureau (RGB). The expanded indictment details additional financial crimes totalling over $1.3 billion in attempted theft across banks, cryptocurrency services, and extortion campaigns conducted from 2017 through 2020 [21].

Basic Static Analysis

The following section provides a basic analysis of the Ransomware.wannacry.exe.malware binary, focused on fingerprinting the binaries hashes, framework coverage, imports, strings, and virtual vs raw size.

Fingerprinting & Framework Coverage

Using Mandiant's CAPA tool [22], we can profile a lot of the binary to help build the broad strokes of the binary. 

Running the command, capa Ransomware.wannacry.exe.malware, provides the following:

The MD5, SHA1, and SHA256, allows us as the researcher to identify if there are any samples known in the wild, our typical first stop is to use VirusTotal to help identify the binary. As the link below shows, we searched using the SHA256 identifier, which points directly to the WannaCry.exe

Additionally, we can confirm that the binary is a Windows PE binary using the x86 architecture. These components all help identify our binaries execution requirements for both stages of the dynamic testing, but also our Advanced Static Analysis component. 

Researchers Note: While we can trust many of the VirusTotal findings, we should use it as a component in the investigation but also look to verify the findings.

In addition to its initial profiling, CAPA provides a thorough output of the coverage against the MITRE ATT&CK [23] and Malware Behaviour Catalogue (discussed towards the end of the post) [24].

MITRE ATT&CK

  • Defense Evasion
    • Obfuscated Files or Information::Indicator Removal from Tools [T1027.005] 
  • Discovery
    • File and Directory Discovery [T1083]
    • System Information Discovery [T1082]
    • System Network and Configuration Discovery [T1016] 
  • Execution
    • Shared Modules [T1129]
    • System Services::Service Execution [T1569.002] 
  • Persistence 
    • Create or Modify System Processes: Windows Service [T1543.003]

Portable Executable and String Analysis

The next point of call after we have fingerprinted the binary is to look at the strings to help provide us with any leads on what it could be doing. While the traditional tool strings can be used, Mandiant released FLARE-FLOSS, that de-obfuscates the Malware to get a reverted binary for analysis [25].  

Using the command : floss Ransomware.wannacry.exe.malware -n 10 the following strings of interest were found: 

  • URL:  www[dot]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[dot]com
  • String Interpolation C:\%s\qeriuwjhrf and cmd.exe /c
  • Cryptography FunctionsCryptGenKey, CryptDecrypt/Encrypt, Crypt Destroy, and CryptAcquireContextA
  • Persistence: tasksche.exe and icacls . /grant Everyone:F /T /C /Q 

Of note, there are many other strings of interest, however, these are also covered by PEStudio, such as the imports table illustrated in Figure 2. 

Figure 2, illustrates the cryptographic controls that are being imported into the Malware. This helps strengthen the evidence of its cryptographic capabilities, whether this is for encrypting the system or for encrypted communication channels.

PEStudio Import of Cryptographic Controls
Figure 2: PEStudio Import of Cryptographic Controls

Basic Dynamic Analysis

The following section is broken into two parts, networking and no networking. This is to identify if there is any difference in the malware and any trigger points that could occur. 

Networking

Executing the binary with no administrator privileges does not detonate the binary, therefore, the binary requires administrator privileges for it to be detonated.
 
When we execute the binary using our administrator permissions, the malware reaches out to the inetsim running in Remnux. The packet capture highlighted below in red shows the URL that is being used as a mechanism to prevent execution of the binary, this is both in the DNS capture and within the HTTP capture. 
 
Figure 3: Wireshark capture of WannaCry.exe

No Networking 

Removing the network connectivity and re-executing the binary, we get the successful execution of the binary and having the relevant artifacts generated.
 
Administrator detonation of WannaCry.exe
Figure 4: Administrator detonation of WannaCry.exe

Advanced Static Analysis

Figure 4, illustrates the usage of the URL found in the strings section of the Basic Static Analysis section. Reviewing the findings, we can see that the binary tries to reach out to the URL and if successful will terminate the process. This is confirmed in the Basic Dynamic Analysis, whereby running the Malware binary with the simulated network and no-simulated network experiments.

Ghidra Analysis highlighting the use of the URL in the binary

Figure 5: Ghidra Analysis highlighting the use of the URL in the binary 

With the identification of the JNZ function highlighted in blue in Figure 6 a patch can be added to allow packets to be captured simply by changing the JNZ to a JZ.
 
Figure 6: WannaCry.exe patching with Ghidra
 
Re-detonating the malware, packets will begin to stream to our inetsim and Wireshark within the Remnux system.
 
With the removal of the killswitch check, the next part is focused on the extraction of the resources from each of the payloads. WannaCry is a two payload infection, one payload creates an initial infection, persistence, and worm, which then loads the second stage for encryption.

Stage One 

The initial infection binary, mssec.exedb349b97c37d22f5ea1d1841e3c89eb4, uses a service for its persistence mechanism named, Microsoft Security Center (2.0) Service this can be seen both in the source code highlighted in Figure 7 but also captured in Dynamic Analysis Persistence Figure 21.
 
mssec stage one persistence service
Figure 7: mssec stage one persistence service
 
Additionally, stage one has a Portable Executable within its resources as illustrated in Figure 8. Simply extracting the R resource from mssec.exe either with the built in functionality of PEStudio or wrestool we have the second stage binary to work with.
 
r.exe resource
Figure 8: r.exe resource extraction via PEStudio

Stage Two 

Repeating the same process again on the r.exe binary hosts an encrypted ZIP archive referred to as XIA within its resource section.
 
Figure 9: xia.zip resource extraction via PEStudio
 
By opening the zip with 7zip, the core components of the ransomware are found, see Figure 10 
 
XIA Encrypted Zip
Figure 10: XIA Encrypted Zip

To extract these for analysis a password is required. To gain access to this password the reverse engineering of the stage two payload is required or capturing the function via a debugger, such as x32dbg. I'll be showing the use of both instances, but the debugger will be informed by the findings of Ghidra.
 
Extract encrypted zip shown in Ghidra
Figure 11: Extract encrypted zip shown in Ghidra
 
Figure 12: WNcry@2o17 moved to EBX
 
While not necessary in this instance as we can simply test the string with the encrypted archive, a step through the r.exe binary shows that the EAX register is doing the comparison to the EDI register, that holds the WNcry@2o17 string before the extraction of each of the contents found within the archive.

String comparison in x32dbg
Figure 13: String comparison in x32dbg

The final extraction of the contents, the identification of each of the files demonstrates the Command and Control (C2) mechanism, along with the ransomware details.

Figure 14: File breakdown for XIA contents

The following list provides a description of the purpose of each file:
  • r.wnry - This is the ransomware message
  • s.wnry - This is a tor client
  • b.wnry - This is the bitmap image that is loaded once the contents has been encrypted
  • c.wnry - The data in this provides tor onion addresses
  • u.wnry - This is the decryption tool
  • t.wnry - This is the encryption tool
  • taskdl.exe - This is the WNCRYT file deletion tool
  • taskse.exe - This launches the decryption tool 

Dumping the contents of the c.wnry, the C2 Tor onion addresses are identified:

  • gx7ekbenv2riucmf[.]onion
  • 57g7spgrzlojinas[.]onion
  • xxlvbrloxvriy2c5[.]onion
  • 76jdd2ir2embyv47[.]onion
  • cwwnhwhlz52maqm7[.]onion

Lastly, the identification of the Bitcoin addresses can be easily done via the strings utility within Ghidra, by taking the Bitcoin address from the basic dynamic analysis tests we did and searching for one of them, the identification of the other two is easily found. 

By searching for references of the Bitcoin address strings, the following function conducts the randomisation of which address to use during the execution of the ransomware as shown in Figure 15. 

bitcoin addresses and randomisation function
Figure 15: Bitcoin addresses and randomisation function

Going to the memory addresses of 0040f488, 0040f464, and 0040f440, the full untruncated addresses are:
Figure 16: Bitcoin addresses at function locations

Advanced Dynamic Analysis

Leveraging the patched binary, we have a much larger remit of findings, most notably, the malware begins to scan the network for other hosts, conducts its initial connection for SMB connections to begin to leverage the ETERNALBLUE payload. In addition to its reconnaissance and lateral movement, the malware creates persistence on the system and loads the second stage payload.

Network Reconnaissance

As we can see illustrated in Figure 17, the initial reach out to the domain is done, as the binary has been patched it will trigger a zero within the code, allowing the continuation of execution, the binary then begins to look for other hosts on the network, as well as, some hosts on the Internet.
 
Figure 17: TCP connections going to port 445
 
Within the host itself, we can see the connections being made within Procmon as illustrated in Figure 18.
 
Procmon of TCP connectivity
Figure 18: Procmon of TCP connectivity
 
Finally, the service is making the connection on Port 9050, which can be seen with SysInternals as shown in Figure 19.
 
Sysinternals port 9050
Figure 19: SysInternals port 9050

Exploitation

In addition to the network reconnaissance, Wireshark can now see traffic within going to port 445 to identify vulnerable targets to exploit using MS17-010, also known as, ETERNALBLUE.
 
It is well-established that WannaCry leverages the ETERNALBLUE vulnerability, this payload exploits the SMBv1 connection within Windows devices so that it can spread and conduct lateral movement. 
 
Figure 20: ETERNALBLUE exploitation caught via Wireshark
 
Using a secondary Windows machine, specifically, Metasploitable3, due to its susceptibility of ETERNALBLUE, we can evidence the worm activity on the network that is purposefully exploited via the ETERNALBLUE SMB vulnerability
 
Metasploitable3 EternalBlue and WannaCry
Figure 21: Metasploitable3 ETERNALBLUE and WannaCry

Persistence 

During the execution of the Malware, two persistence mechanisms are triggered, one using the Microsoft Security Center (2.0) Service that is generated from the initial binary as highlighted in Figure 22. 

Figure 22: Stage One persistence with Microsoft Security Center (2.0) Service

The second can be identified by the second stage payloads that can be identified by filtering on all CreateFile operations within Procmon for the process name of the Malware binary. It is worth noting that the location name is generated on execution of the Malware and will therefore be different each time.
 
WannaCry.exe second stage storage location
Figure 23: WannaCry.exe second stage storage location 

For the Malware to maintain its foothold, it runs the tasksche.exe application from the storage location shown above, it creates a new service, in this instance named xpaaslxwir046 that can be seen within Task Manager, as illustrated in the figure below.
 
Task Manager shows persistence mechanism
Figure 24: Task Manager shows persistence mechanism 

Indicators of Compromise

Below is a collection of Indicators of Compromise (IoC) relating to the WannaCry directory upon infection:

File MD5 SHA1 SHA256
b.wnry c17170262312f3be7027bc2ca825bf0c f19eceda82973239a1fdc5826bce7691e5dcb4fb d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
c.wnry ae08f79a0d800b82fcbe1b43cdbdbefc f6b08523b1a836e2112875398ffefffde98ad3ca 055c7760512c98c8d51e4427227fe2a7ea3b34ee63178fe78631fa8aa6d15622
r.wnry 3e0020fc529b1c2a061016dd2469ba96 c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
s.wnry ad4c9de7c8c40813f200ba1c2fa33083 d1af27518d455d432b62d73c6a1497d032f6120e e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b
t.wnry 5dcaac857e695a65f5c3ef1441a73a8f 7b10aaeee05e7a1efb43d9f837e9356ad55c07dd 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
taskdl.exe 4fef5e34143e646dbf9907c4374276f5 47a9ad4125b6bd7c55e4e7da251e23f089407b8f 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
taskse.exe 8495400f199ac77853c53b5a3f278f3e be5d6279874da315e3080b06083757aad9b32c23 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
u.wnry 7bf2b57f2a205768755c07f238fb32cc 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25


Malware Behaviour Catalogue

The following Malware Behaviour Catalogue (MBC) mappings are based on the static and dynamic analysis conducted in this post. Behaviours marked with ★ extend the existing MBC WannaCry corpus entry. For MITRE ATT&CK technique mappings, see ATT&CK: WannaCry - Techniques Used.


Enhanced ATT&CK Techniques

ObjectiveBehaviourIDEvidence
ImpactData Encrypted for ImpactE1486WannaCry encrypts files for ransom using CryptEncrypt API. Identified via static analysis of cryptographic imports and confirmed during dynamic detonation.
Defence EvasionObfuscated Files or InformationE1027 ★The XIA ZIP archive embedded in the stage two payload is password-encrypted (WNcry@2o17), requiring reverse engineering or debugging to extract contents.
PersistenceCreate or Modify System Process::Windows ServiceE1543.003 ★Creates "Microsoft Security Center (2.0) Service" for stage one persistence. Confirmed in Ghidra and captured in dynamic analysis via Task Manager.
Lateral MovementExploitation of Remote ServicesE1210 ★Exploits ETERNALBLUE (MS17-010) over SMBv1 on port 445 to propagate. Captured via Wireshark and confirmed on a Metasploitable3 target.
DiscoveryRemote System DiscoveryE1018 ★Scans for hosts on port 445 for lateral movement targets. Observed in Procmon and Wireshark TCP connection logs.
ExecutionSystem Services::Service ExecutionE1569.002 ★Uses service execution for both the stage one persistence service and the stage two tasksche.exe service.
Command and ControlIngress Tool TransferE1105 ★Drops a Tor client (s.wnry) from the encrypted XIA archive to establish a C2 communication channel.
Defence EvasionFile and Directory Permissions ModificationE1222 ★Executes icacls . /grant Everyone:F /T /C /Q to grant full permissions to all users, identified via string analysis.


MBC Behaviours

ObjectiveBehaviourIDEvidence
Defence EvasionHidden Files and Directories::File AttributeF0005WannaCry uses the +h attribute to hide its dropped files from directory listings.
PersistenceRegistry Run Keys / Startup FolderF0012WannaCry creates two registry run keys to ensure persistence across reboots.
Defence EvasionSelf DeletionF0007Killswitch mechanism: if the hardcoded domain resolves via DNS, the binary terminates and deletes itself. Confirmed via Ghidra reversing and the networking vs. no-networking dynamic tests.
DiscoverySelf DiscoveryB0038WannaCry checks the size of the file it loads into memory before proceeding with execution.
DiscoverySelf Discovery::Validate DataB0038.002Checks a string, key length, and magic number before decrypting an embedded DLL.
DiscoverySelf Discovery::Validate Data LengthB0038.003Checks the data length of a PE section before decrypting an embedded DLL.
ExecutionInstall Additional ProgramB0023 ★Stage one extracts the stage two PE from its resources (r.exe), which then extracts and deploys the XIA archive contents including tasksche.exetaskdl.exe, and the .wnry components.
Command and ControlC2 CommunicationB0030 ★Communicates via Tor using five onion addresses extracted from c.wnry. Port 9050 connections observed via SysInternals during advanced dynamic analysis.


Micro-Behaviours

Micro-ObjectiveMicro-BehaviourIDEvidence
CryptographyEncrypt DataC0027CryptEncrypt API imported and used for file encryption. Identified via PEStudio import table and FLOSS string analysis.
CryptographyDecrypt DataC0031CryptDecrypt API imported for decryption of embedded DLL and archive contents.
CryptographyGenerate Pseudo-random SequenceC0021CryptGenKey API used for key generation. Bitcoin address randomisation function identified in Ghidra.
File SystemCreate FileC0016Stage two payload files written to disk. Procmon CreateFile operations captured during dynamic analysis showing the storage location for second stage components.
ProcessCreate ProcessC0017Launches tasksche.exe as a new service process and executes commands via cmd.exe /c.


Classification

For the classification of the Malware based on its findings, the Computer Anti-Virus Research Organization (CARO) malware naming scheme [26] identifies WannaCry as:

Ransom:Win32/WannaCrypt

The justification for this breakdown is as follows:

  • Ransom - Based on the ransomware note provided upon infection
  • Win32 - Based on the architecture during the basic analysis stage, i.e., i386 + PE format
  • WannaCrypt - Based on the identification provided by other security researchers

Defender Recommendations

Dealing with WannaCry can be difficult for organisations that have limited automated containment strategies. The best defence to reduce impact of ransomware is to be up-to-date on all security patches, Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547, consider adding a rule on your router or firewall to block incoming SMB traffic on port 445 [27]. Combining the proactive approach of being update, the reactive approach is to to contain as quickly as possible and limit the blast radius through network segmentation. However, these do not make a full effective approach and large scale systems can have multiple sources of connectivity that can be related to shadow IT, such as third-party connectors.

Helping detect WannaCry, the four YARA rule have been made based on the findings taken from the analysis above. In addition, US-CERT created a number of YARA Rules, which can be found: here.

/*
    WannaCry Ransomware Detection Rules
    Author: Jack Whitter-Jones
    Date: 2026-02-08
    Classification: Ransom:Win32/WannaCrypt
    
    These rules are split by infection stage to reduce false positives
    and allow granular detection across the kill chain.
    
    References:
        - https://www.cloudflare.com/learning/security/ransomware/wannacry-ransomware/
        - https://attack.mitre.org/software/S0366/
        - https://learn.microsoft.com/en-us/unified-secops/malware-naming
*/


// ---------------------------------------------------------------------------
// Rule 1: WannaCry Stage One Dropper (mssecsvc.exe)
//
// Targets the initial binary responsible for the killswitch check,
// service persistence, ETERNALBLUE propagation, and stage two extraction.
// ---------------------------------------------------------------------------
rule WannaCry_Stage1_Dropper
{
    meta:
        description     = "Detects WannaCry stage one dropper (mssecsvc.exe)"
        author          = "Jack Whitter-Jones"
        date            = "2026-02-08"
        classification  = "Ransom:Win32/WannaCrypt"
        severity        = "Critical"
        hash_md5        = "db349b97c37d22f5ea1d1841e3c89eb4"
        hash_sha256     = "24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c"

        // MITRE ATT&CK mapping (concatenated to avoid duplicate keys)
        mitre_tactics       = "Defense Evasion, Discovery, Execution, Persistence"
        mitre_techniques    = "T1027.005, T1083, T1082, T1016, T1129, T1569.002, T1543.003"

    strings:
        // -- Killswitch domain (the single most unique identifier) --
        $killswitch = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea" ascii nocase

        // -- Service persistence --
        $svc_name   = "mssecsvc2.0" ascii wide
        $svc_display = "Microsoft Security Center (2.0) Service" ascii wide

        // -- Staging path pattern --
        $path_fmt   = "C:\\%s\\qeriuwjhrf" ascii

        // -- Command execution for permissions --
        $icacls     = "icacls . /grant Everyone:F /T /C /Q" ascii

        // -- SMB exploitation marker: ETERNALBLUE handshake bytes --
        // These are the first bytes of the trans2 SESSION_SETUP exploit
        // payload specific to MS17-010 as used by WannaCry
        $smb_exploit = { 00 00 00 00 00 00 00 00 FF 53 4D 42 72 }

        // -- PE resource containing stage two --
        // The 'R' resource is a PE that starts with MZ; look for MZ
        // at a typical resource offset boundary after the main PE headers
        $nested_pe  = { 4D 5A 90 00 03 00 00 00 }

    condition:
        // Must be a PE file
        uint16(0) == 0x5A4D and

        // Reasonable size bound for stage one (~3.6 MB)
        filesize > 1MB and filesize < 5MB and

        // Import table must reference networking and service APIs
        pe.imports("ws2_32.dll") and
        pe.imports("advapi32.dll") and

        (
            // High-confidence: killswitch + service persistence
            ($killswitch and 1 of ($svc_*)) or

            // High-confidence: killswitch + staging path + permissions escalation
            ($killswitch and $path_fmt and $icacls) or

            // Structural: nested PE in resources + service creation + networking
            ($nested_pe and 1 of ($svc_*) and pe.imports("wininet.dll"))
        )
}


// ---------------------------------------------------------------------------
// Rule 2: WannaCry Stage Two Ransomware Payload (tasksche.exe / r.exe)
//
// Targets the second-stage binary that contains the encrypted XIA archive
// holding the ransomware components (.wnry files, tor client, etc.)
// ---------------------------------------------------------------------------
rule WannaCry_Stage2_Payload
{
    meta:
        description     = "Detects WannaCry stage two ransomware payload"
        author          = "Jack Whitter-Jones"
        date            = "2026-02-08"
        classification  = "Ransom:Win32/WannaCrypt"
        severity        = "Critical"
        mitre_tactics       = "Impact, Persistence, Command and Control"
        mitre_techniques    = "T1486, T1543.003, T1573"

    strings:
        // -- Encrypted archive password (unique to WannaCry) --
        $zip_pass = "WNcry@2o17" ascii wide

        // -- Ransomware component filenames (inside the XIA archive) --
        $wnry_r = "r.wnry" ascii
        $wnry_s = "s.wnry" ascii
        $wnry_t = "t.wnry" ascii
        $wnry_u = "u.wnry" ascii
        $wnry_b = "b.wnry" ascii
        $wnry_c = "c.wnry" ascii

        // -- Operational binaries --
        $taskdl = "taskdl.exe" ascii
        $taskse = "taskse.exe" ascii
        $tasksche = "tasksche.exe" ascii

        // -- Bitcoin wallet addresses --
        $btc1 = "13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94" ascii
        $btc2 = "12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw" ascii
        $btc3 = "115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn" ascii

        // -- Tor C2 onion addresses --
        $tor1 = "gx7ekbenv2riucmf" ascii
        $tor2 = "57g7spgrzlojinas" ascii
        $tor3 = "xxlvbrloxvriy2c5" ascii
        $tor4 = "76jdd2ir2embyv47" ascii
        $tor5 = "cwwnhwhlz52maqm7" ascii

        // -- Crypto API usage pattern (sequential imports suggest
        //    key generation → encrypt → decrypt workflow) --
        $capi_gen     = "CryptGenKey" ascii
        $capi_encrypt = "CryptEncrypt" ascii
        $capi_acquire = "CryptAcquireContextA" ascii
        $capi_import  = "CryptImportKey" ascii

    condition:
        uint16(0) == 0x5A4D and
        filesize < 5MB and

        (
            // High-confidence: archive password is nearly unique to WannaCry
            $zip_pass or

            // High-confidence: 4+ .wnry component names in one binary
            4 of ($wnry_*) or

            // Strong signal: Bitcoin wallets + tor addresses
            (2 of ($btc*) and 2 of ($tor*)) or

            // Behavioural combination: crypto workflow + operational tools + C2
            (
                3 of ($capi_*) and
                ($taskdl or $taskse or $tasksche) and
                2 of ($tor*)
            )
        )
}


// ---------------------------------------------------------------------------
// Rule 3: WannaCry Encrypted Archive (XIA resource)
//
// Detects the encrypted ZIP archive embedded as a PE resource. This is
// useful for catching the payload in transit or extracted on disk.
// ---------------------------------------------------------------------------
rule WannaCry_XIA_Archive
{
    meta:
        description = "Detects WannaCry encrypted XIA ZIP archive containing ransomware components"
        author      = "Jack Whitter-Jones"
        date        = "2026-02-08"
        severity    = "High"

    strings:
        // ZIP local file header magic
        $pk_header = { 50 4B 03 04 }

        // Filenames that would appear in the ZIP central directory
        $zf_r = "r.wnry" ascii
        $zf_s = "s.wnry" ascii
        $zf_t = "t.wnry" ascii
        $zf_u = "u.wnry" ascii
        $zf_b = "b.wnry" ascii
        $zf_c = "c.wnry" ascii
        $zf_taskdl = "taskdl.exe" ascii
        $zf_taskse = "taskse.exe" ascii

    condition:
        $pk_header at 0 and
        filesize < 5MB and
        5 of ($zf_*)
}


// ---------------------------------------------------------------------------
// Rule 4: WannaCry Network Artefact (killswitch beacon)
//
// For use with network traffic captures or proxy logs. Detects the
// killswitch domain request that WannaCry makes before execution.
// ---------------------------------------------------------------------------
rule WannaCry_Killswitch_Beacon
{
    meta:
        description = "Detects WannaCry killswitch domain in network captures or memory"
        author      = "Jack Whitter-Jones"
        date        = "2026-02-08"
        severity    = "Critical"

    strings:
        $domain = "iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com" ascii nocase

    condition:
        $domain
}

Conclusion

This post has demonstrated an analysis of core components of WannaCry, via a threat intelligence profile, a detailed walkthrough of the analysis and reverse engineering of the WannaCry malware. This included the identification of Indicators of Compromise, how classification of Malware is conducted using the Computer Antivirus Research Organization (CARO) naming scheme based on the findings of the analysis, along with defender recommendations both proactively and reactively to combat the campaign due to its continued prevalence.

As many articles have illustrated the technical components of WannaCry, many miss a foundational threat profile of the campaign and how the impact of the attack led to financial gain. This post ties many research areas together to constitute a detailed end to end understanding of the Lazarus Group's objectives for the campaign, notably, financial gain. 

While the analysis covers a broad range of areas it does not fully complete the picture, specifically, the further analysis of the ETERNALBLUE [4] and DOUBLEPULSAR [5] exploits. Additionally, an interesting area of research is the cryptocurrency analysis against the crypto wallets that were used in this campaign. A detailed visual showing a tree diagram of all the wallets and connected activity would be interesting. Of which both will be explored in subsequent posts.

References

at
Labels: , ,
Subscribe to: Comments (Atom)

WannaCry — Campaign Intelligence, Reverse Engineering, and Detection

During 2017, WannaCry became a national headline for the United Kingdom and many other nations targeting companies, such as FedEx, Honda, Ni...