Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Brief technical Analysis of Wannacry Ransomware Worm v2

Published on: 15.05.2017




Last Friday, May 12th 2017 cyber criminals started to spread a new ransomware. The malicious code was not highly sophisticated, it was using a recently patched SMB bug (MS17-010 also known as ETERNALBLUE) to spread. The remotely exploitable SMB bug was part of an NSA leaks series and affected XP up to Windows Server 2012. Windows 10 is not affected.

We got the sample on Friday around 6 PM and the initial analysis has released the following facts:


  • Complex installation behavior


  • Multi-language support



  • Install and uses Tor for communication






  • Programmed in C / C++, also uses VBS for some tasks


  • Makes recovery impossible



  • Encrypts files with AES 2048-bit, file appendix is WNCRYT, encrypts files everywhere






  • Creates a mutex to prevent double infection, the mutex is MsWinZonesCacheCounterMutexA0




  • Registers autostart


  • Has a kill switch / anti sandbox trick to prevent spreading and encryption (left branch skip, right branch spreading + encryption), kill domain is http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. Kill switch does not work with proxies. Kill switch was registered by the IT security blogger Malware Tech UK.




  • Does not use any anti-debugging or special anti-sandbox tricks


Full analysis data generated by Joe Sandbox 19: