WANNACRY
RANSOMWARE ANALYSIS

OVERVIEW

WannaCry is a cryptoworm ransomware that exploited the EternalBlue vulnerability (MS17-010) in Windows SMBv1 to propagate across networks autonomously. This project involved setting up an isolated lab environment to perform both static and dynamic analysis on a WannaCry sample to document the full kill chain.

LAB ENVIRONMENT

Analysis was performed in a fully isolated VMware network with snapshot capability. No live internet access was permitted. Tools: REMnux (static analysis), FlareVM (dynamic analysis), Wireshark for network capture, Process Monitor and Process Hacker for behavioural monitoring.

PHASE 1: STATIC ANALYSIS

FILE METADATA

Initial triage using file hashing (MD5/SHA256), strings extraction, and PE header analysis to understand the binary structure without executing it.

• Identified PE32 executable with suspicious import table — CryptAcquireContext, CryptEncrypt confirming encryption capability
• Strings analysis revealed hardcoded kill switch URL: iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
• Embedded resource DLL identified containing the ransomware payload and Tor client
• PDB path and compiler artifacts confirmed MSVC compilation, likely Windows development environment

PHASE 2: NETWORK PROPAGATION

ETERNALBLUE EXPLOIT CHAIN

The worm component scans for hosts with TCP port 445 open and attempts to exploit CVE-2017-0144 (EternalBlue) — a buffer overflow in SMBv1's transaction handling that allows unauthenticated remote code execution as SYSTEM.

• SMBv1 negotiate protocol request to enumerate supported dialects
• TRANS2_OPEN2 request with malformed parameters triggering buffer overflow
• Shellcode execution achieved via pool spray — targeting nonpaged pool allocation
• DoublePulsar kernel backdoor installed to receive and execute the WannaCry DLL payload

PHASE 3: ENCRYPTION ROUTINE

AES-RSA HYBRID ENCRYPTION

WannaCry uses a hybrid encryption scheme designed to prevent key recovery without paying the ransom. Each file is encrypted with a unique AES-128 key, which is itself encrypted with an RSA-2048 public key controlled by the attacker.

• RSA-2048 public key embedded in binary — private key held only by attacker
• Per-file AES-128 key generated using CryptGenRandom
• AES key encrypted with embedded RSA public key and prepended to encrypted file
• Target extensions: .doc, .xls, .pdf, .jpg, .zip, .rar, .vmdk — 176 file types total
• Original files deleted via MoveFileEx after encryption (not secure-wiped — recovery possible with forensic tools if acted quickly)

PHASE 4: C2 COMMUNICATION

TOR-BASED COMMAND AND CONTROL

WannaCry bundles a Tor client to communicate with hidden service C2 servers, making attribution and takedown difficult. Payment tracking was done via unique Bitcoin addresses per victim.

• Embedded Tor client extracted from resource section and executed
• C2 hidden service addresses hardcoded in binary
• Bitcoin address generation for per-victim payment tracking
• Kill switch check — if the hardcoded URL resolved, execution terminated (exploited by Marcus Hutchins to stop spread)

OUTCOME & KEY FINDINGS

This analysis produced a full documented kill chain from initial SMB scan to file encryption, providing a practical understanding of cryptoworm architecture, exploitation techniques, and encryption design used in real-world ransomware.

• Kill switch mechanism fully documented and validated in lab
• Encryption scheme analysed — confirmed no local key recovery possible post-encryption
• Network indicators of compromise (IoCs) extracted for detection rule development
• Snort/Suricata rules written to detect EternalBlue SMB negotiation patterns