Wannacry : Detailed analysis ( part 2 of 3 ) 

​Unpacking the PE file from the launcher

If we unpack the PE file manually, it shows several layers. Any tool that dumps the resource (.rsrc) section of a PE file can be used.

The file “R-1381” is the embedded PE file in the launcher.

Running “R-1381” against the .rsrc dumper, we can see that it has the following files:

“XIA-2058” is actually a password-protected zip file. PW: ‘WNcry@2ol7’. When extracted, it contains the following:

The R-1831 file drops an encrypted DLL file called “t.wnry”. Once the DLL is decrypted, the WannaCry ransomware itself is run.

The “b.wnry” is the a BMP file usedfor the ransom note desktop wallpaper.

The “c.wnry” holds a list of TOR sites (*.onion)

The “r.wnry” contains a simple text”readme ransom note”

The msg folder holds ransom notes messages in different languages.The file “s.wnry” is another ZIP file that contains Tor-related binaries which will be later used for C2 beaconing:


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s