Skip to content

Instantly share code, notes, and snippets.

Forked from Epivalent/
Last active March 10, 2024 11:03
Show Gist options
  • Save rain-1/989428fa5504f378b993ee6efbc0b168 to your computer and use it in GitHub Desktop.
Save rain-1/989428fa5504f378b993ee6efbc0b168 to your computer and use it in GitHub Desktop.

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to 'rm' (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn't work - it only propagates.


Microsoft first patch for XP since 2014:

Killswitch source:

Exploit details:

Vulnerable/Not Vulnerable

To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).

The MS17-010 patch fixes the vulnerability.

  • Windows XP: Doesn't spread. If run manually, can encrypt files.
  • Windows 7,8,2008: can spread unpatched, can encrypt files.
  • Windows 10: Doesn't spread. Even though Windows 10 does have the faulty SMB driver.
  • Linux: Doesn't spread. If run manually with wine, can encrypt files.


Informative Tweets

Cryptography details

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • Each AES key is generated CryptGenRandom.
  • The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors. even more in depth RE information by cyg_x1!!

Bitcoin ransom addresses

3 addresses hard coded into the malware.

C&C centers

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion


All language ransom messages available here:

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

File types

There are a number of files and folders wannacrypt will avoid. Some because it's entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:

  • "Content.IE5"
  • "Temporary Internet Files"
  • " This folder protects against ransomware. Modifying it will reduce protection"
  • "\Local Settings\Temp"
  • "\AppData\Local\Temp"
  • "\Program Files (x86)"
  • "\Program Files"
  • "\WINDOWS"
  • "\ProgramData"
  • "\Intel"
  • "$"

The filetypes it looks for to encrypt are:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

credit herulume, thanks for extracting this list from the binary.

more details came from thanks to cyg_x11

Some other interesting strings

credit: nulldot

Encrypted file format

typedef struct _wc_file_t {
    char     sig[WC_SIG_LEN]     // 64 bit signature WANACRY!
    uint32_t keylen;             // length of encrypted key
    uint8_t  key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
    uint32_t unknown;            // usually 3 or 4, unknown
    uint64_t datalen;            // length of file before encryption, obtained from GetFileSizeEx
    uint8_t *data;               // Ciphertext Encrypted data using AES-128 in CBC mode
} wc_file_t;

credit for reversing this file format info: cyg_x11.

Vulnerability disclosure

The specific vulnerability that it uses to propagate is ETERNALBLUE.

This was developed by "equation group" an exploit developer group associated with the NSA and leaked to the public by "the shadow brokers". Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.

Copy link

toxyl commented May 24, 2017

@dangerhacker - the results come with the decompiled C source

Copy link

marksteward commented May 25, 2017

@toxyl it's from the metadata in the translation files themselves - they're saved from Microsoft Word, so include various features you wouldn't usually see in an RTF file.

Additionally, now is doing the rounds, here's the revision information from two earlier English-only versions, showing how they deliberately set their computer clock back in later versions to obscure the compile time (but without realising it affects this):

{ author Messi}{ operator Messi}{ creatim yr2017 mo3 dy4 hr13 min33}{ revtim yr2017 mo3 dy4 hr17 min37}{ version28}{ edmins156}
{ author Messi}{ operator Messi}{ creatim yr2017 mo3 dy4 hr13 min33}{ revtim yr2016 mo5 dy11 hr14 min40}{ version30}{ edmins157}

Copy link

toxyl commented May 29, 2017

@marksteward awesome, great work, didn't even consider to check that. What pieces of data are edmins156 and edmins157? A Google search only returns results for women's leather gloves which seem to be called edmins in Russian. Is it the number of minutes since the last edit?

Copy link

toxyl commented May 29, 2017

Does anyone know where the address 17MAZ6gLmKSARyzwxskDibunkranSomYcr belongs to? I've added it to my list of addresses associated with WanaCry, but I don't remember where I got it from. Unlike the three addresses used by WanaCry this one was created at 2017-05-16 01:50:26, so 4 days after the other accounts (2017-05-12: 13:08:21, 14:43:33 and 16:34:58) and it has this glaringly obvious string DibunkranSomYcr in it.

Copy link

Yeah, edmins is edit time in minutes; creatim and revtim are creation and revision time.

Another cover of the story saying Chinese is original rather than English

Copy link

How fast is the wannacrypt0r with all files like (200-250mb)? Did someone try it on virtual machine or real?

Copy link

booy92 commented Jun 10, 2017

@phantomxe: fast. Didn't record or count it but infected a VM and it encrypted really fast. The decryption tool was also locked in no time. But needed to repartition and reinstall my laptop so don't have the VM anymore. But if you are interested I could infect it again and make a video to show the speed(won't be today, more likely wednesday or something)?

Copy link

@booy92 yes, it's be good for me. 25 files get 200-250mb and 2-3 files get 1gb. Could you take a video with system specs and cpu disk monitoring?

Copy link

I want to analyze malware wannacry, petya, and locky but from where I can these three malware to be analyzed? Can you guys tell me ??

Sent from my OPPO F1f using FastHub

Copy link

FiecyLick commented Oct 29, 2017

Toxyl, 0x7E is a windows error or an operating system

Copy link

C2 for WannaCry is down?

Copy link

erickdi commented Jan 14, 2019

So a broken version of wannacry.

accelerator_get_status was renamed to opcache_get_status
Luxe Calendar

Copy link

Msha3ry2522 commented Oct 17, 2023

A beautiful presentation. Thank you for what you wrote. I am also happy to share with you the site شرح and I am a follower of the sites you have added.. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment