Pulling apart Major WanaCry Functions

ice-wzl
3 min readFeb 7, 2023

Introduction:

WannaCry, also known as WCry or WannaCrypt, is a notorious ransomware that made headlines in May 2017 after it infected hundreds of thousands of computers in 150 countries. The malware was spread via a worm that exploited a vulnerability in Microsoft Windows operating systems. The WannaCry ransomware encrypted the files on infected computers and demanded a ransom payment in Bitcoin to restore access to the data. In this blog post, we will dive into the inner workings of WannaCry and analyze its properties and behavior.

Static Properties Analysis:

WannaCry is a Windows executable file written in C++ and packed with the UPX packer. UPX is a popular executable compressor used by malware authors to evade signature-based antivirus detection. The packed executable file size is around 359 KB. The UPX unpacking stub decompresses the payload and transfers control to the original code.

Behavior Analysis:

When executed, WannaCry creates a mutex to ensure that only one instance of the malware is running on an infected machine. It then begins to encrypt the files on the computer using AES encryption. The encrypted files are renamed with the .WNCRY extension, and a ransom note is created on the desktop and as a text file in each encrypted…

--

--