Wannacry: Detailed analysis (part 3 of 3)

​Ransomware itself typical The actual ransomware component itself is not all that remarkable, it does what ransomware does, encrypts a widerange of files and demands ransom, to be paid in bitcoins in a most insistent way. Here is a list of some of the files it encrypts. Expect more of the same to come What… Continue reading Wannacry: Detailed analysis (part 3 of 3)

Wannacry : Detailed analysis ( part 2 of 3 ) 

​Unpacking the PE file from the launcher If we unpack the PE file manually, it shows several layers. Any tool that dumps the resource (.rsrc) section of a PE file can be used. The file “R-1381” is the embedded PE file in the launcher. Running “R-1381” against the .rsrc dumper, we can see that it… Continue reading Wannacry : Detailed analysis ( part 2 of 3 ) 

Wannacry : Detailed Analysis ( part 1 of 3 )

Main Launcher: The Killswitch effect The main launcher has a curious feature, where, before it does anything else, it checks connectivity to a certain domain. Ifthat domain resolves, the binary exits and does nothing further. This has been dubbed the killswitch. The killswitch domains below that have been found so far have been registered by… Continue reading Wannacry : Detailed Analysis ( part 1 of 3 )