Unpacking the PE file from the launcher
If we unpack the PE file manually, it shows several layers. Any tool that dumps the resource (.rsrc) section of a PE file can be used.
The file “R-1381” is the embedded PE file in the launcher.
Running “R-1381” against the .rsrc dumper, we can see that it has the following files:
“XIA-2058” is actually a password-protected zip file. PW: ‘WNcry@2ol7’. When extracted, it contains the following:
The R-1831 file drops an encrypted DLL file called “t.wnry”. Once the DLL is decrypted, the WannaCry ransomware itself is run.
The “b.wnry” is the a BMP file usedfor the ransom note desktop wallpaper.
The “c.wnry” holds a list of TOR sites (*.onion)
The “r.wnry” contains a simple text”readme ransom note”
The msg folder holds ransom notes messages in different languages.The file “s.wnry” is another ZIP file that contains Tor-related binaries which will be later used for C2 beaconing: